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Abstract 

Fragments  of  first-order  temporal  logic  are  useful  for  representing  many  practical  privacy  and  secu¬ 
rity  policies.  Past  work  has  proposed  two  strategies  for  checking  event  trace  (audit  log)  compliance 
with  policies:  online  monitoring  and  offline  audit.  Although  online  monitoring  is  space-  and  time- 
efficient,  existing  techniques  insist  that  satisfying  instances  of  all  subformulas  of  the  policy  be 
amenable  to  caching,  which  limits  expressiveness  when  some  subformulas  have  infinite  support. 
In  contrast,  offline  audit  is  brute  force  and  can  handle  more  policies  but  is  not  as  efficient.  This 
paper  proposes  a  new  online  monitoring  algorithm  that  caches  satisfying  instances  when  it  can, 
and  falls  back  to  the  brute  force  search  when  it  cannot.  Our  key  technical  insight  is  a  new  flow- 
and  time-sensitive  static  check  of  variable  groundedness,  called  the  temporal  mode  check ,  which 
determines  subformulas  for  which  such  caching  is  feasible  and  those  for  which  it  is  not  and,  hence, 
guides  our  algorithm.  We  prove  the  correctness  of  our  algorithm  and  evaluate  its  performance  over 
synthetic  traces  and  realistic  policies. 


•J*  This  is  the  extended  version  of  the  paper  titled  “  Temporal  Mode- Checking  for  Runtime  Monitoring  of  Privacy 
Policies ”  that  appears  in  the  26th  International  Conference  on  Computer  Aided  Verification  (CAV)  2014.  All  the 
opinions  expressed  in  this  paper  represent  only  the  authors’  views. 


Keywords:  Mode  checking,  runtime  monitoring,  metric  first-order  temporal  logic,  privacy 
policy,  privacy  legislation,  privacy  policy  compliance  checking,  HIPAA,  GLBA. 


1  Introduction 


Many  organizations  routinely  collect  sensitive  personal  information  like  medical  and  financial 
records  to  carry  out  business  operations  and  to  provide  services  to  clients.  These  organizations  must 
handle  sensitive  information  in  compliance  with  applicable  privacy  legislation  like  the  Health  Insur¬ 
ance  Portability  and  Accountability  Act  (HIPAA)  [I]  and  the  Gramm-Leach-Bliley  Act  (GLBA)  [2|. 
Violations  attract  substantial  monetary  and  even  criminal  penalties  |3j.  Hence,  developing  mech¬ 
anisms  and  automatic  tools  to  check  privacy  policy  compliance  in  organizations  is  an  important 
problem. 

The  overarching  goal  of  this  paper  is  to  improve  the  state  of  the  art  in  checking  whether  an 
event  trace  or  audit  log,  which  records  relevant  events  of  an  organization’s  data  handling  operations, 
is  compliant  with  a  given  privacy  policy.  At  a  high-level,  this  problem  can  be  approached  in  two 
different  ways.  First,  logs  may  be  recorded  and  compliance  may  be  checked  offline,  when  demanded 
by  an  audit  authority.  Alternatively,  an  online  program  may  monitor  privacy-relevant  events,  check 
them  against  the  prevailing  privacy  policy  and  report  violations  on  the  fly.  Both  approaches  have 
been  considered  in  literature:  An  algorithm  for  offline  compliance  checking  has  been  proposed  by 
a  subset  of  the  authors  [4],  whereas  online  monitoring  has  been  the  subject  of  extensive  work  by 
other  researchers  |h|jTl  . 

These  two  lines  of  work  have  two  common  features.  First,  they  both  assume  that  privacy  policies 
are  represented  in  first-order  temporal  logic,  extended  with  explicit  time.  Such  extensions  have  been 
demonstrated  adequate  for  representing  the  privacy  requirements  of  both  HIPAA  and  GLBA  12  . 
Second,  to  ensure  that  only  finitely  many  instances  of  quantifiers  are  tested  during  compliance 
checking,  both  lines  of  work  use  static  policy  checks  to  restrict  the  syntax  of  the  logic.  The  specific 
static  checks  vary,  but  always  rely  on  assumptions  about  finiteness  of  predicates  provided  by  the 
policy  designer.  Some  work,  e.g.  |5j[8j-[ll|,  is  based  on  the  safe-range  check  (5j ,  which  requires 
syntactic  subformulas  to  have  finite  support  independent  of  each  other;  other  work,  e.g.  |4 ,[T] ,  is 
based  on  the  mode  check  from  logic  programming  1 13  15  ,  which  is  more  general  and  can  propagate 


variable  groundedness  information  across  subformulas. 

Both  lines  of  work  have  their  relative  advantages  and  disadvantages.  An  online  monitor  can 
cache  policy-relevant  information  from  logs  on  the  fly  (in  so-called  summary  structures )  and  discard 
the  remaining  log  immediately.  This  saves  space.  It  also  saves  time  because  the  summary  structures 
are  organized  according  to  the  policy  formula  so  lookups  are  quicker  than  scans  of  the  log  in  the 
offline  method.  However,  online  monitoring  algorithms  proposed  so  far  require  that  all  subformulas 
of  the  policy  formula  be  amenable  to  caching.  Furthermore,  many  real  policies,  including  several 
privacy  requirements  of  HIPAA  and  GLBA,  are  not  amenable  to  such  caching.  In  contrast,  the 
offline  algorithm  proposed  in  our  prior  work  [4j  uses  brute  force  search  over  a  stored  log.  This 
is  inefficient  when  compared  to  an  online  monitor,  but  it  can  handle  all  privacy  requirements  of 
HIPAA  and  GLBA.  In  this  work,  we  combine  the  space-  and  time-efficiency  of  online  monitoring 
with  the  generality  of  offline  monitoring:  We  extend  existing  work  in  online  monitoring  |5|  for 
privacy  policy  violations  with  a  brute  force  search  fallback  based  on  offline  audit  for  subformulas 
that  are  not  amenable  to  caching.  Like  the  work  of  Basin  et  al.  [5],  our  work  uses  policies  written 
in  metric  first-order  temporal  logic  (MFOTL)  1 16 1 . 

Our  key  technical  innovation  is  what  we  call  the  temporal  mode  check,  a  new  static  check  on 
formulas  to  ensure  finiteness  of  quantifier  instantiation  in  our  algorithm.  Like  a  standard  mode 
check,  the  temporal  mode  check  is  flow-sensitive:  It  can  propagate  variable  groundedness  informa¬ 
tion  across  subformulas.  Additionally,  the  temporal  mode  check  is  time-sensitive:  It  conservatively 
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approximates  whether  the  grounding  substitution  for  a  variable  comes  from  the  future  or  the  past. 
This  allows  us  to  classify  all  subformulas  into  those  for  which  we  build  summary  structures  during 
online  monitoring  (we  call  such  formulas  buildable  or  B-formulas)  and  those  for  which  we  do  not 
build  summary  structures  and,  hence,  use  brute  force  search. 

As  an  example,  consider  the  formula  Dzh,  y,  z.(p(x)  A  <^q(x,  y)  A  <^r(x,  z)),  which  means  that 
in  all  states,  there  exist  x,y,z  such  that  p(x)  holds  and  in  some  past  states  q (x,y)  and  r (x,z) 
hold.  Assume  that  p  and  q  are  finite  predicates  and  that  r  is  infinite,  but  given  a  ground  value 
for  its  first  argument,  the  second  argument  has  finite  computable  support.  One  possible  efficient 
strategy  for  monitoring  this  formula  is  to  build  summary  structures  for  p  and  q  and  in  each  state 
where  an  x  satisfying  p  exists,  to  quickly  lookup  the  summary  structure  for  q  to  find  a  past  state 
and  a  y  such  that  <$>q (x,y)  holds,  and  to  scan  the  log  brute  force  to  find  a  past  state  and  z  such 
that  0r(x,z)  holds.  Note  that  doing  so  requires  marking  p  and  q  as  B-formulas,  but  r  as  not  a 
B-formula  (because  2  can  be  computed  only  after  x  is  known,  but  x  is  known  from  satisfaction 
of  p,  which  happens  in  the  future  of  r).  Unlike  the  safe-range  check  or  the  standard  mode  check, 
our  new  temporal  mode  check  captures  this  information  correctly  and  our  monitoring  algorithm, 
precis,  implements  this  strategy.  No  existing  work  on  online  monitoring  can  handle  this  formula 
because  r  cannot  be  summarized  [5-11.  The  work  on  offline  checking  can  handle  this  formula  [4] , 
it  does  not  build  summary  structures  and  is  needlessly  inefficient  on  q. 

We  prove  the  correctness  of  precis  over  formulas  that  pass  the  temporal  mode  check  and 
analyze  its  asymptotic  complexity.  We  also  empirically  evaluate  the  performance  of  precis  on 
synthetically  generated  traces,  with  respect  to  privacy  policies  derived  from  HIPAA  and  GLBA.  The 
goal  of  our  experiment  is  to  demonstrate  that  incrementally  maintaining  summary  structures  for 
B-formulas  of  the  policy  can  improve  the  performance  of  policy  compliance  checking  relative  to  a 
baseline  of  pure  brute  force  search.  This  baseline  algorithm  is  very  similar  to  the  offline  monitoring 
algorithm  of  |4i|,  called  reduce.  In  our  experiments,  we  observe  marked  improvements  in  running 
time  over  reduce,  e.g.,  up  to  2.5x-6.5x  speedup  for  HIPAA  and  up  to  1.5x  speed  for  GLBA,  even 
with  very  conservative  (unfavorable)  assumptions  about  disk  access.  Even  though  these  speedups 
are  not  universal  (online  monitoring  optimistically  constructs  summary  structures  and  if  those 
structures  are  not  used  later  then  computation  is  wasted),  they  do  indicate  that  temporal  mode 
checking  and  our  monitoring  algorithm  could  have  substantial  practical  benefit  for  privacy  policy 
compliance. 


2  Policy  Specification  Logic 

HZ]  with  restricted  universal 

quantifiers.  The  syntax  of  QMV  is  shown  below. 


Our  policy  specification  logic,  QMV ,  is  a  fragment  of  MFOTL  16 


(Policy  formula)  ip  ::=  p(t)  |  T  |  ±  |  <fi  A  992  |  <fl  v  ¥2  I  I  Vx.(tpi  — >  1P2) 

Vi  S  HP2  |  Oi¥>  |  BiV3  I  OiV  I  ¥>i  U  W2  |  Oi V7  I  Uiip  |  Oip 


The  letter  t  denotes  terms,  which  are  constants  or  variables  (x,  y,  etc.).  Roman  letters  with 
right  arrows  on  the  top  like  t  denote  sequences  or  vectors.  Policy  formulas  are  denoted  by  ip,  a, 
and  j3.  Universal  quantifiers  have  a  restricted  form  VT.t/q  — >  p>2-  A  guard  [l8]  ip\  is  required  as 
explained  further  in  Section  [3j 

Policy  formulas  include  both  past  temporal  operators  (<$>,  □,  S,  ©)  and  future  temporal 
operators  (O,  □,  U ,  O).  Each  temporal  operator  has  an  associated  time  interval  I  of  the  form 
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[lo,hi\,  where  lo,  hi  G  N  and  lo  <  hi.  The  interval  selects  a  sub-part  of  the  trace  in  which  the 
immediate  subformula  is  interpreted.  For  example,  0\2fi]P  means  that  at  some  point  between  2 
and  6  time  units  in  the  past,  p  holds.  For  past  temporal  operators,  we  allow  the  higher  limit  (hi)  of 
I  to  be  00.  We  omit  the  interval  when  it  is  [0, 00].  Policies  must  be  future-bounded :  both  limits  (lo 
and  hi)  of  intervals  associated  with  future  temporal  operators  must  be  finite.  QMV  is  not  closed 
under  negation  due  to  the  absence  of  the  duals  of  operators  S  and  U .  However,  these  operators 
do  not  arise  in  the  practical  privacy  policies  we  have  investigated. 

Formulas  are  interpreted  over  a  timed  event  trace  (or,  log)  C.  Given  a  possibly-infinite  domain 
of  terms  V,  each  element  of  C — the  zth  element  is  denoted  Lt —  maps  each  ground  atom  p (t)  for 
t  G  V  to  either  true  or  false.  Each  position  Ci  is  associated  with  a  time  stamp,  r,  G  N,  which  is 
used  to  interpret  intervals  in  formulas.  We  use  r  to  represent  the  sequence  of  time  stamps,  each 
of  which  is  a  natural  number.  For  any  arbitrary  i,j  G  N  with  i  >  j,  Ti  >  tj  (monotonicity).  The 
environment  77  maps  free  variables  to  values  in  V.  Given  an  execution  trace  C  and  a  time  stamp- 
sequence  r,  a  position  i  G  Min  the  trace,  an  environment  77,  and  a  formula  p,  we  write  C,  r,  i,  77  |=  p 
to  mean  that  p  is  satisfied  in  the  ?'th  position  of  C  with  respect  to  7/  and  r.  The  definition  of  |= 
is  standard  and  is  presented  below.  Note  that,  given  an  interval  I  =  [lo,  hi]  where  lo,  hi  G  N  and 
lo  <  hi,  we  write  d  G  I  if  it  satisfies  the  following:  lo  <  d  <  hi. 


C,T,i,ri 

C,r,i,r] 

C,r,i,r) 

C,T,i,r) 

C,T,i,r) 

C,r,i,r) 

holds. 


T  and  C,  r,  i,  77  \f=  _L 
p(t)  iff  £i(p(ri(i)))  is  true. 

Pi  A  p2  ff  £,  t,  i,  77  |=  <pi  and  C,  r,  i,  77  |=  p2. 

P 1  v  p2  ff  £,  T,  i,  ?7  1=  <P1  or  £,  r,  i,  77  |=  p2. 

3x.p  ff  there  exists  t  such  that  C,  r,  i,  7j[x  i->-  t[  |=  p. 

\/x.(<pi  — >  p2)  ff  for  all  t  if  C ,  r,  i,  p[x  1 — ^  f]  |=  <^1  holds  then  £,  r,  i,  r/[x  ^  t\\=  p2 


C,T,i,ri 
£,r,i,  t? 
C,T,i,ri 
£,r,i,  7? 


Ah*,  77 

C,T,i,ri 

£,r,i,rj 

C,T,i,ri 


|=  01 P  ff  there  exists  k  <i,  where  k  G  N,  such  that  (rt  —  Tk )  G  I  and  C,  r,  k,  77  |=  p. 

|=  iff  for  all  k  <  i,  where  k  G  N,  such  that  (77  —  Tk)  G  I,  C,  r,  k,  77  |=  p  holds. 

1=  ©IV7  ff  i  >  0,  £,  t,  i  -  1, 77  |=  p,  and  77  -  1  G  I. 

|=  p\  S  ip2  ff  there  exists  k  <  i,  where  k  G  N,  such  that  (n  —  Tk)  G  I  and  C,  r,  k,  77  |= 


P2  and  for  all  j,  where  jGM  and  k  <  j  <  i,  it  implies  that  C,  r,  j ,  77  |=  p\  holds. 


|=  Oi P  ff  there  exists  k  >  i,  where  k  G  N,  such  that  (r^  —  Ti)  G  I  and  C,  r,  k,  77  |=  p. 
|=  \I\ip  ff  for  all  k  >  i,  where  k  G  N,  such  that  ffk  —  n)  G  I,  C,  r,  k,  77  |=  p  holds. 

1=  OiP  ff  C,T,i  +  1, 77  |=  p,  and  Ti+1  -  n  G  I. 

|=  p\  U  ip2  ff  there  exists  k  >  i,  where  k  G  N,  such  that  (r^  —  r*)  G  I  and  C,  r,  k,  77  |= 


P2  and  for  all  j,  where  j  G  N  and  i  <  j  <  k,  it  implies  that  C,  T,j,  77  |=  pi  holds. 
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Example  policy.  The  following  QMV  formula  represents  a  privacy  rule  from  clause  §6802(a)  of 
the  U.S.  privacy  law  GLBA  1 2] .  It  states  that  a  financial  institution  can  disclose  to  a  non-affiliated 
third  party  any  non-public  personal  information  ( e.g name,  SSN)  if  such  financial  institution 
provides  (within  30  days)  or  has  provided,  to  the  consumer,  a  notice  of  the  disclosure. 


Vpi , P2 ,  q,  m,  t,  u.  d.  (  send^  ,p2  ,m  )  A  contains(m+  ,q  ,t  ) A  info(m+,  d  ,  u  )  — > 

inrole(pj~,  institution^)  A  nonAffiliate(p^,p^)  A  consumerOf^-,?^)  A  attrln (t,npi) 
A'$>(3mi.send(pj”,  q~ ,  mf)  A  noticeOfDisclosure(m5l",p^,p^,  q+,t+)  )  V 

O [0,30] 3m2 .send (pf ,q~,m2)  A  noticeOfDisdosure(?n^,p^,p^,  q+ ,  t+)  ) 

3  Temporal  Mode  Checking 

We  review  mode-checking  and  provide  an  overview  of  our  key  insight,  temporal  mode-checking. 
Then,  we  define  temporal  mode-checking  for  QAiV  formally. 

3.1  Mode  Checking 

Consider  a  predicate  addLessEq(x,  y,  a),  meaning  x+y  <  a,  where  x,  y ,  and  a  range  over  N.  If  we  are 
given  ground  values  for  x  and  a,  then  the  number  of  substitutions  for  y  for  which  addLessEq(x,  y,  a) 
holds  is  finite.  In  this  case,  we  may  say  that  addLessEq’s  argument  position  1  and  3  are  input 
positions  (denoted  by  '+’)  and  argument  position  2  is  an  output  position  (denoted  by  ’),  denoted 
addLessEq(z+,  y~ ,  a+).  Such  a  specification  of  inputs  and  outputs  is  called  a  mode- specification. 
The  meaning  of  a  mode-specification  for  a  predicate  is  that  if  we  are  given  ground  values  for 
arguments  in  the  input  positions,  then  the  number  of  substitutions  for  the  variables  in  the  output 
positions  that  result  in  a  satisfied  relation  is  finite.  For  instance,  addLessEq(x+,  y+,  a~)  is  not 
a  valid  mode-specification.  Mode  analysis  (or  mode-checking)  lifts  input-output  specifications  on 
predicates  to  input-output  specification  on  formulas.  It  is  commonly  formalized  as  a  judgment 
Xin  E  tp  :  Xouti  which  states  that  given  a  grounding  substitution  for  variables  in  Xin,  there  is  at  most 
a  finite  set  of  substitutions  for  variables  in  Xout  that  could  together  satisfy  p.  For  instance,  consider 
the  formula  p  =  p(x)  A  q (x,y).  Given  the  mode-specification  p(x“)  and  q (x+,y~)  and  a  left-to- 
right  evaluation  order  for  conjunction,  (p  passes  mode  analysis  with  Xin  =  {}  and  Xout  =  {x,y}- 
Mode  analysis  guides  an  algorithm  to  obtaining  satisfying  substitutions.  In  our  example,  we  first 
obtain  substitutions  for  x  that  satisfy  p(x).  Then,  we  plug  ground  values  for  x  in  q (x,y)  to  get 
substitutions  for  y.  However,  if  the  mode-specification  is  p(x+)  and  q(x+,  y~),  then  <p  will  fail  mode 
analysis  unless  x  is  already  ground  (he.,  x  E  Xin)- 

Mode  analysis  can  be  used  to  identify  universally  quantified  formulas  whose  truth  is  finitely 
checkable.  We  only  need  to  restrict  universal  quantifiers  to  the  form  Vx.(yq  — >  <^2),  and  require 
that  x  be  in  the  output  of  p>\  and  that  <p>2  be  well-moded  (x  may  be  in  its  input).  To  check  that 
Vx.(ipi  — >  P2)  is  true,  we  first  find  the  values  of  x  that  satisfy  <p\.  This  is  a  finite  set  because  x  is 
in  the  output  of  We  then  check  that  for  each  of  these  x’s,  ip2  is  satisfied. 

3.2  Overview  of  Temporal  Mode  Checking 

Consider  the  policy  pp  =  p(x“)  A  <$>q (x+,y~)  and  consider  the  following  obvious  but  inefficient 
way  to  monitor  it:  We  wait  for  p(x)  to  hold  for  some  x,  then  we  look  back  in  the  trace  to  find  a 
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position  where  q (x,y)  holds  for  some  y.  This  is  mode-compliant  (we  only  check  q  with  its  input  x 
ground)  but  requires  us  to  traverse  the  trace  backward  whenever  p(x)  holds  for  some  x.  which  can 
be  slow. 

Ideally,  we  would  like  to  incrementally  build  a  summary  structure  for  <^q (x,y)  containing  all 
the  substitutions  for  x  and  y  for  which  the  formula  holds  as  the  monitor  processes  each  new  trace 
event.  When  we  see  p(x),  we  could  quickly  look  through  the  summary  structure  to  check  whether 
a  relation  of  the  form  q(x,  y)  for  the  specific  x  and  any  y  exists.  However,  note  that  building  such  a 
structure  may  be  impossible  here.  Why?  The  mode-specification  q(x+,  y~)  tells  us  only  that  we  will 
obtain  a  finite  set  of  satisfying  substitutions  when  x  is  already  ground.  However,  in  this  example, 
the  ground  x  comes  from  p,  which  holds  in  the  future  of  q,  so  the  summary  structure  may  be  infinite 
and,  hence,  unbuildable.  In  contrast,  if  the  mode-specification  of  q  is  q (x~,y~),  then  we  can  build 
the  summary  structure  because,  independent  of  whether  or  not  x  is  ground,  only  a  finite  number 
of  substitutions  can  satisfy  q.  In  this  example,  we  would  label  <$>q (x,y)  buildable  or  a  B-formula 
when  the  mode-specification  is  q (x~,y~)  and  a  non-B-formula  when  the  mode-specification  is 

q(^+,y-)- 

With  conventional  mode  analysis,  ipp  is  well-moded  under  both  mode-specifications  of  q.  Con¬ 
sequently,  in  order  to  decide  whether  ipp  is  a  B-formula,  we  need  a  refined  analysis  which  takes 
into  account  the  fact  that,  with  the  mode-specification  q (x+,y~),  information  about  grounding  of 
x  flows  backward  in  time  from  p  to  q  and,  hence,  <$>q (x,y)  is  not  a  B-formula.  This  is  precisely 
what  our  temporal  mode-check  accomplishes:  It  tracks  whether  an  input  substitution  comes  from 
the  past/current  state,  or  from  the  future.  By  doing  so,  it  provides  enough  information  to  determine 
which  subformulas  are  B-formulas. 

Formally,  our  temporal  mode-checking  has  two  judgments:  xc  Fb  P  '■  Xo  and  XC,Xf  F  <p  ■  Xo- 
The  first  judgment  assumes  that  substitutions  for  xc  are  available  from  the  past  or  at  the  current 
time  point;  any  subformula  satisfying  such  a  judgment  is  labeled  as  a  B-formula.  The  second 
judgment  assumes  that  substitutions  for  xc  are  available  from  the  past  or  at  current  time  point,  but 
those  for  xf  will  be  available  in  future.  A  formula  satisfying  such  a  judgment  is  not  a  B-formula 
but  can  be  handled  by  brute  force  search.  Our  implementation  of  temporal  mode  analysis  first 
tries  to  check  a  formula  by  the  first  judgment,  and  falls  back  to  the  second  when  it  fails.  The 
formal  rules  for  mode  analysis  (described  later)  allow  for  both  possibilities  but  do  not  prescribe  a 
preference.  At  the  top-level,  ip  is  well-moded  if  {},{}  F  <p  :  xo  for  some  xo- 

To  keep  things  simple,  we  do  not  build  summary  structures  for  future  formulas  such  as  aid  i/3, 
and  do  not  allow  future  formulas  in  the  judgment  form  xc  Fb  p  ■  Xo  (however,  we  do  build 
summary  structures  for  nested  past-subformulas  of  future  formulas).  To  check  aUi/3,  we  wait  until 
the  upper  limit  of  II  is  exceeded  and  then  search  backward.  As  an  optimization,  one  may  build 
conservative  summary  structures  for  future  formulas,  as  in  some  prior  work  |5j. 

3.3  Recognizing  B-formulas 

We  list  selected  rules  of  temporal  mode-checking  in  Figure  [lj  The  complete  list  of  rules  of  temporal 
mode  checking  can  be  found  in  Appendix  [Aj  Rule  B-Pre,  which  applies  to  an  atom  p(H, . . . ,  t,n), 
checks  that  all  variables  in  input  positions  of  p  are  in  xc-  The  output  xo  is  the  set  of  variables  in 
output  positions  of  p.  (/( p)  and  O(p)  are  the  sets  of  input  and  output  positions  of  p,  respectively.) 
The  rule  for  conjunctions  tpi  A  ip2  first  checks  <p\  and  then  checks  p>2 ,  propagating  variables  in 
the  output  of  ipi  to  the  input  of  <p2-  These  two  rules  are  standard  in  mode-checking.  The  new, 
interesting  rule  is  B-Since  for  the  formula  <piSj(p2-  Since  structures  for  tpi  and  <p>2  could  be  built 
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V/c  €  I(p).fv(tk)  C  XC  XO 


B-PRE 


XC  bB  P  ■  XO 


xc,xf  l-  p :  xo 


=  U  -M4*) 

j'eo(p) 


Xc  bB  p(ti,...,tn)  :  xo 


XC  I-b  Pi  ■  Xi  XC  U  xi  I-b  <P2  ■  X2 
XC  I-b  Pi  A  p2  ■  XO 
{}  I-B  P2  ■  xi  Xl  l~B  Pi  :  X2 
Xc  I-B  Pi  s  iip2  ■■  XO 


XO  =  Xi  U  X2 


B-AND 


Xo  =  Xi 


B-SINCE 


Vfc  <e  l(p).fv(tk)  c  (xc  u  xf)  xo  =  1J  fv(tj) 


jeo(p) 


XC i  Xf  b  p(fi, . .  ■ ,  t,n)  : 

xo 

{}  1“ b  P2  ■ 

Xi  XiiXC^XF  b  pi 

■  X2 

XO  =  Xi 

XC,XF  b  pi  S  ip2  :  XO 

XC  b  B  P‘2 

■  Xl  XC,  XF  u  Xl  b  pi 

■  A  2 

xo  =  xi 

XC,XF  I-  PlU\p2  ■  xo 


PRE 

SINCE-1 

UNTIL- 1 


XC,Xf\~  <Pl-Xl 

fv(pi)  C  xc  U  Xf  U  { x }  fv(ip2)  C  (xc  U  xi  U  xf) 
_ XC,XF  u  Xi  I-  ^2  :  X2 _ 

XC,XF  I-  Vx.(<£>i  -A  (^2)  :  {} 


UNIV-1 


Figure  1:  Selected  rules  of  temporal  mode-checking 


at  time  points  earlier  than  the  current  time,  the  premise  simply  ignores  the  input  xc-  The  first 
premise  of  B-since  checks  tp2  with  an  empty  input.  Based  on  the  semantics  of  temporal  logic, 
ipi  needs  to  be  true  on  the  trace  after  ip 2,  so  all  variables  ground  by  <p2  (i-e.,  xi)  are  available  as 
“current”  input  in  p\.  As  an  example,  {}  I~b  T  S  q(x~ ,y~)  :  {x,y}. 

3.4  Temporal  Mode  Checking  Judgement 

In  the  mode-checking  judgment  xc,  Xf  b  P  '■  XO ,  we  separate  the  set  of  input  variables  for  which 
substitutions  are  available  at  the  current  time  point  or  from  the  past  (xc)  from  the  set  of  variables 
for  which  substitutions  are  available  from  the  future  (xf)-  The  distinction  is  needed  because  sub¬ 
derivations  of  the  form  x'c  I~b  p'  '■  Xo  should  be  passed  only  the  former  variables  as  input.  Please 
note  that  the  complete  list  of  rules  of  temporal  mode  checking  can  be  found  in  Appendix  [Aj 

Rule  Pre  for  atoms  checks  that  variables  in  input  positions  are  in  the  union  of  xc  and  xf- 
There  are  four  rules  for  p\S\p2 ,  accounting  for  the  buildability/non-buildability  of  each  of  the 
two  subformulas.  We  show  only  one  of  these  four  rules,  Since- 1,  which  applies  when  p2  is  a 
B-formula  but  p\  is  not.  In  this  case,  p2  will  be  evaluated  (for  creating  the  summary  structure) 
at  time  points  earlier  than  p\  S  p2  and,  therefore,  cannot  use  variables  in  xc  or  xf  as  input  (see 
Figure[2]).  When  checking  p±,  variables  in  the  output  of  p2  (called  xi)>  XC  and  xf  are  all  inputs, 
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but  those  in  \C  °r  XF  come  from  the  future.  The  entire  formula  is  not  a  B-formula  as  <p\  is  not. 


Figure  2:  Example:  Temporal  information  in  mode  checking  <p\S\ip2 


Similarly,  there  are  four  rules  for  ip\1A  \(pii  of  which  we  show  only  one,  UNTIL- 1.  This  rule 
applies  when  </?2  is  a  B-formula,  but  p>\  is  not.  Its  first  premise  checks  that  y?2  is  a  B-formula 
with  input  xc-  Our  algorithm  checks  p>\  only  when  t/?2  is  true,  so  the  outputs  xi  of  P2  are  available 
as  input  for  ip\.  In  checking  ip i,  both  xi  and  xf  may  come  from  the  future. 

The  first  premise  of  rule  UNIV-1  checks  that  the  guard  p\  is  well-moded  with  some  output 
Xi-  The  second  premise,  {x}  C  xi,  ensures  that  the  guard  ip\  can  be  satisfied  only  for  a  finite 
number  of  substitutions  for  x,  which  is  necessary  to  feasibly  check  <p2 ■  The  third  premise,  fv{p i)  C 
(xc  U  Xf  U  {x}),  ensures  that  no  variables  other  than  x  are  additionally  grounded  by  checking  p>\. 
The  fourth  premise,  fv(<p 2)  C  (xc  U  xf  U  xi),  ensures  that  all  free  variables  in  y?2  are  already 
grounded  by  the  time  (fi2  needs  to  be  checked.  The  hnal  premise  ensures  the  well-modedness  of  p>2- 
The  third  and  fourth  premises  are  technical  conditions,  needed  for  the  soundness  of  our  algorithm. 


4  Runtime  Monitoring  Algorithm 

Our  policy  compliance  algorithm  precis  takes  as  input  a  well-moded  QMV  policy  ip,  monitors 
the  system  trace  as  it  grows,  builds  summary  structures  for  nested  B-formulas  and  reports  a 
violation  as  soon  as  it  is  detected. 

We  write  a  to  denote  a  substitution,  a  finite  map  from  variables  to  values  in  the  domain  V. 
The  identity  substitution  is  denoted  •  and  crj_  represents  an  invalid  substitution.  For  instance,  the 
result  of  joining  (n)  two  substitutions  o\  and  <r2  that  do  not  agree  on  the  values  of  shared  variables 
is  <tj_.  We  say  that  a'  extends  a,  written  a1  >  a,  if  the  domain  of  a'  is  a  superset  of  the  domain 
of  a  and  they  agree  on  mappings  of  variables  that  are  in  the  domain  of  a.  We  summarize  relevant 
algorithmic  functions  below. 

precis(t^)  is  the  top-level  function  (Algorithm [T]) . 

checkCompliance(£,  i,  r,  tt,  ip)  checks  whether  events  in  the  ith  position  of  the  trace  L  satisfy 
ip,  given  the  algorithm’s  internal  state  it  and  the  time  stamps  r.  State  n  contains  up-to-date 
summary  structures  for  all  B-formulas  of  ip. 

uSS(C,i,T,TT,ip)  incrementally  updates  summary  structures  for  B-formula  p  when  log  position 
i  is  seen.  It  assumes  that  the  input  n  is  up-to-date  w.r.t.  earlier  log  positions  and  it  re¬ 
turns  the  state  with  the  updated  summary  structure  for  (p.  (uSS  is  the  abbreviation  of 

updateSummaryStructures). 

sat(£,  i,  t,  p(t),  a)  returns  the  set  of  all  substitutions  or  for  free  variables  in  p(f)  that  make  p(t)or 
true  in  the  ith  position  of  C,  given  a  that  grounds  variables  in  the  input  positions  of  p.  Here, 

a i  >  (j. 
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ips  (C,i,  r,  7 r,  u,  p)  generalizes  sat  from  atomic  predicates  to  policy  formulas.  It  takes  the  state  7r 
as  an  input  to  look  up  summary  structures  when  B- formulas  are  encountered. 


4.1  Top-level  monitoring  algorithm. 

Algorithm  [I]  (precis),  the  top-level  monitoring  process,  uses  two  pointers  to  log  entries:  curPtr 
points  to  the  last  entry  in  the  log  C,  and  evalPtr  points  to  the  position  at  which  we  next  check 
whether  p  is  satisfied.  Naturally,  curPtr  >  evalPtr.  The  gap  between  these  two  pointers  is 
determined  by  the  intervals  occurring  in  future  temporal  operators  in  ip.  For  example,  with  the 
policy  0[Zo,/ii]/3)  P  can  be  evaluated  at  log  position  i  only  after  a  position  j  >  i  with  Tj  —  Ti  >  hi 
has  been  observed.  We  define  a  simple  function  A(p)  just  below  that  computes  a  coarse  but  finite 
upper  bound  on  the  maximum  time  the  monitor  needs  to  wait  before  p  can  be  evaluated.  We  want 
to  emphasize  that  future  boundedness  of  QMV  policies  and  nronotonicity  requirement  on  r  ensure 
that  A(p)  is  finite  and  bounded. 


A(v?) 


'o 

max( A((/?i),  A(<£2)) 

<  A(<p) 

d  +  max(A(pi),  A(p2)) 
Kd  +  A(<p) 


if  p  =  T  I  ±  |  p(ti,  .  .  .  ,Pn ) 

if  p  =  Pi  V  p2  I  Pi  A  p2  I  \/x.(pi  Pi)  |  Pi  S  [c4]P2 
if  P  =  3 X.p  I  0[c4]P  \  B[c,d\P  I  Q[c,d\P 
if  P  =  Pi  U[c,d\P2 
h  P  =  O  [c,(Z]  P  I  Q  [c,d\  P  I  O  [e,d]  P 


Figure  3:  Definition  of  A(<p) 


Algorithm  1  The  precis  algorithm 
Require:  A  QJPIV  policy  p 

1:  7r  i —  0;  curPtr  0;  evalPtr  0;  C  0;  r  0; 

2:  Mode-check  p.  Label  all  B-formulas  of  p. 

3:  while  (true)  do 

4:  Wait  until  new  events  are  available 

5:  Extend  L  and  t  with  new  entries 

6:  for  all  (B-formulas  ps  of  p  in  ascending  formula  size)  do 

7:  7T  e-  uSS(£,  curPtr,  r,  7r,  ps)  //update  summary  structures 

8:  while  ( evalPtr  <  curPtr )  do 

9:  if  ( TcurPtr  -  T evalPtr  >  A (p))  then 

10:  tVal  <—  checkCompliance(£,  evalPtr ,  r,  7 r,  p) 

11:  if  tVal  =  false  then 

12:  Report  violation  on  C  position  evalPtr 

13:  evalPtr  4—  evalPtr  +  1 

14:  else 

15:  break 

16:  curPtr  curPtr  +  1 


The  algorithm  precis  first  initializes  relevant  data  structures  and  labels  B-formulas  using 
mode  analysis  (lines  1-2).  The  main  body  of  the  precis  is  a  trace-event  triggered  loop.  In 


checkCompliance(£,  i.  r,  n,  p) 


true  if  ips(£,  i ,  r,  7r,  •,  (p)  /  {} 
false  otherwise 


Figure  4:  Definition  of  the  checkCompliance  function. 


each  iteration  of  the  loop,  precis:  (1)  updates  the  summary  structures  in  ir  based  on  the  newly 
available  log  entries  (lines  6-7),  and  (2)  evaluates  the  policy  at  positions  where  it  can  be  fully 
evaluated,  i.e.,  where  the  difference  between  the  entry’s  time  point  and  the  current  time  point 
(curPtr)  exceeds  the  maximum  delay  A(y>).  Step  (1)  uses  the  function  uSS  and  step  (2)  uses 
the  function  checkCompliance  (see  Figure  [4]).  checkCompliance  is  a  wrapper  for  ips  that 
calls  ips  with  •  as  the  input  substitution.  If  ips  returns  an  empty  set  of  satisfying  substitutions, 
checkCompliance  returns  false,  signaling  a  violation  at  the  current  time  point,  else  it  returns 
true. 

4.2  Finding  substitutions  for  policy  formulas. 

The  recursive  function  ips  returns  the  set  of  substitutions  that  satisfy  a  formula  at  a  given  log 
position,  given  a  substitution  for  the  formula’s  input  variables.  Selected  clauses  of  the  definition  of 
ips  are  shown  in  Figure  [5]  All  the  clauses  of  the  definition  of  ips  can  be  found  in  Appendix  [B} 
When  the  formula  is  an  atom,  ips  invokes  sat,  an  abstract  wrapper  around  specific  implementa¬ 
tions  of  predicates.  When  the  policy  is  a  universally  quantified  formula,  ips  is  called  on  the  guard 
pi  to  find  the  guard’s  satisfying  substitutions  Si.  Then,  ips  is  called  to  check  that  p2  is  true  for 
all  substitutions  in  Si.  If  the  latter  fails,  ips  returns  the  empty  set  of  substitutions  to  signal  a 
violation,  else  it  returns  {dm}- 

When  a  B-formula  aSj/3  is  encountered,  all  its  satisfying  substitutions  have  already  been 
computed  and  stored  in  it.  Therefore,  ips  simply  finds  these  substitutions  in  n  (expression 
7r.A(a5n/3)(z).M),  and  discards  those  that  are  inconsistent  with  by  performing  a  join  (x). 
For  the  non-B-formula  aSf/3,  ips  calls  itself  recursively  on  the  sub-formulas  a  and  (3,  and 
computes  the  substitutions  brute  force. 

4.3  Incrementally  updating  summary  structures. 

We  explain  how  we  update  summary  structures  for  formulas  of  the  form  p\  S \p2  here.  Updates 
for  ©i<£>,  E\ip,  and  <^19?  are  similar  and  can  be  found  in  Appendix  [Cj 

For  each  B-formula  of  the  form  a S  [fo^jj/3,  we  build  three  structures:  8^,  SQ,  and  M.  The 
structure  8 p  contains  a  set  of  pairs  of  form  (a,  k)  in  which  a  represents  a  substitution  and  k  E  N  is 
a  position  in  C.  Each  pair  of  form  (a,  k)  E  8^  represents  that  for  all  a'  >  a,  the  formula  /3a'  is  true 
at  position  k  of  C.  The  structure  §Q  contains  a  set  of  pairs  of  form  (a,  k),  each  of  which  represents 
that  for  all  a'  >  a  the  formula  aa'  has  been  true  from  position  k  until  the  current  position  in  C. 
The  structure  M  contains  a  set  of  substitutions,  which  make  (a  S  [i0thi]P)  true  in  the  current  position 
of  C.  We  use  M*  (similarly  for  other  structures  too)  to  represent  the  structure  M  at  position  i  of 
£.  We  also  assume  8^  si  and  to  be  empty  (the  same  applies  for  other  structures  too). 

We  show  here  how  the  structures  S/3  and  M  are  updated.  We  defer  the  description  of  update  of  Sq, 
to  Appendix  [Cj 

To  update  the  structure  8^,  we  first  calculate  the  set  Tip  of  substitutions  that  make  (3  true  at  i 
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ips(£,«,T,7r,erin,  p(i)) 


sat [C,i,r,  p (*),  crin) 


ips(£,  i,T,TT,ain, 
Vf.(y>i  -4  y>2)) 


let 

return 


Si  G-  ips(£,  i,  t,  tt,  crin,  </?i) 

J  0  if  3ctc  G  Ei.(ips(£,  i,  r,  7r,  ctc,  y>2)  =  0) 
|  {ffin}  otherwise 


ips(£,  i,  t,  7 r,  crin,  a  5 1/3) 


If  a  <S  i/3  is  a  B-formula  then 
return  aln  N  7r.^4(a5i/3)(i).K 

Else 

let  S/3  G-  {(cr, k)\k  =  nraxL((0  <  l  <  i)  A  ((r,;  —  77)  G  I) 

<  Act  G  ips(£,  Z,  r,  7r,  crin,  /?))} 

<5ri  g-  {ct|  (ct,  i)  G  A  0  G  1} 

5'i?2  t-  {txlcrf  ±  CTj_|3(<7/3,  fc)  G  S/3. /c  <  *A 

VZ.(fc  <  l  <  i  ->  CT;“  G  ips(£,  Z,  T,  7T,  CT /3,  <Pl))} 
return  S_rx  U  S_r2 


Figure  5:  Definition  of  the  ips  function,  selected  clauses 


by  calling  ips.  Pairing  all  these  substitutions  with  the  position  i  yields  Snow-  Next,  we  compute 
the  set  Sremove  of  all  old  (ct,  k)  pairs  that  do  not  satisfy  the  interval  constraint  [lo,  hi]  (i.e.,  for  which 
Tj  —  Tfc  >  hi).  The  updated  structure  is  then  obtained  by  taking  a  union  of  Snew  and  the  old 
structure  ^ ,  and  removing  all  the  pairs  in  the  set  Sfei 


-'remove* 


sL 


■<— 


ips(£,*,T,7T,*,/3) 

{(ct,  i)  I  O  G  E/3} 


sL 


<r- 


{(ct,  k)  I  (ct,  k)  G  A  (Tj  -  Tfc)  >  hi} 

<-  (§^i_1)  U  S^ew)  \  Sfemove 

To  compute  the  summary  structure  M  for  q:  SjfJ  at  i,  we  first  compute  the  set  Srj  of  all 
substitutions  for  which  the  formula  f3  is  true  in  the  ith  position  and  the  interval  constraint  is 
respected  by  the  position  i.  Then  we  compute  Sr2  as  the  join  ct  x  ui  of  substitutions  ct  for  which  f3 
was  satisfied  at  some  prior  position  k,  and  substitutions  o\  for  which  a  is  true  from  position  k  +  1 
to  i.  The  updated  structure  M*  is  the  union  of  and  Sr2. 

S r1  G-  {ct  |  (ct,  i)  G  A  0  G  [lo,  hi]} 

Sr2  G-  {ct  x  cti  |  3  k,j.(a,  k)  G§^A(/c/i)A  (r*  -  rk  G  [lo,  hi])  A  (cti,  j)  G  S*aA 

(j  <  ( k  +  1))Actmcti/  ctj_} 

K*  G-  Sr^  U  Sr2 


4.4  Optimizations 

When  all  temporal  sub- formulas  of  ip  are  B- formulas,  curPtr  and  evalPtr  proceed  in  synchro¬ 
nization  and  only  the  summary  structure  for  position  curPtr  needs  to  be  maintained.  When  ip 
contains  future  temporal  formulas  but  all  past  temporal  sub- formulas  of  cp  are  B- formulas,  then 
we  need  to  maintain  only  the  summary  structures  for  positions  in  [ evalPtr ,  curPtr ],  but  the  rest 
of  the  log  can  be  discarded  immediately.  When  <p  contains  at  least  one  past  temporal  subformula 
that  is  not  a  B-formula  we  need  to  store  the  slice  of  the  trace  that  contains  all  predicates  in  that 
non-B-formula. 

The  following  theorem  states  that  on  well-moded  policies,  precis  terminates  and  is  correct. 


10 


The  theorem  requires  that  the  internal  state  n  be  strongly  consistent  at  curPtr  with  respect  to  the 
log  C,  time  stamp  sequence  r,  and  policy  p.  Strong  consistency  means  that  the  state  n  contains 
sound  and  complete  substitutions  for  all  B-formulas  of  ip  for  all  trace  positions  in  [0,  curPtr] 
(see  Appendix |D.3[). 

Theorem  1  (Correctness  of  precis).  For  all  QMV  policies  ip,  for  all  evalPtr,  curPtr  G  N,  for 
all  traces  C,  for  all  time  stamp  sequences  r,  for  all  internal  states  n r,  for  all  empty  environments 
770  such  that  (1)  7 r  is  strongly  consistent  at  curPtr  with  respect  to  C,  t,  and  ip,  (2)  curPtr  > 
evalPtr  and  Tcurptr—  Tevaiptr  >  A(</?);  an&  (3)  {},  {}  F  ip  :  xo  where  xo  Q  fvif)>  the  case 
that  checkCompliance(£,  evalPtr ,  r,  7 r,  ip)  terminates  and  if  checkCompliance(C,  evalPtr,  t, 
7 r,ip)  =  tVal,  then  ( tVal  =  true )  o  3o.(£,t,  evalPtr,  r/o  \=  per). 

Proof.  By  induction  on  the  policy  formula  p  (see  Appendix  JdJ)  .  □ 

Complexity  of  precis.  The  runtime  complexity  of  one  iteration  of  precis  for  a  given  policy 
p  is  \p\  x  (complexity  of  the  uSS  function)  +  (complexity  of  ips  function),  where  \p\  is  the 
policy  size.  We  first  analyze  the  runtime  complexity  of  ips.  Suppose  the  maximum  number  of 
substitutions  returned  by  a  single  call  to  sat  (for  any  position  in  the  trace)  is  F  and  the  maximum 
time  required  by  sat  to  produce  one  substitution  is  A.  The  worst  case  runtime  of  ips  occurs  when 
all  subformulas  of  p  are  non-B-formulas  of  the  form  p\  S  P2  and  in  that  case  the  complexity  is 
0((A  x  F  x  L)c>('l‘/al))  where  L  denotes  the  length  of  the  trace.  uSS  is  invoked  only  for  B-formulas. 
From  the  definition  of  mode-checking,  all  sub- formulas  of  a  B- formula  are  also  B-formulas. 
This  property  of  B-formulas  ensures  that  when  uSS  calls  ips,  the  worst  case  behavior  of  ips 
is  not  encountered.  The  overall  complexity  of  uSS  is  C*(|<^|  x  (A  x  F)0^!)).  Thus,  the  runtime 
complexity  of  each  iteration  of  the  precis  function  is  0(( A  x  F  x  L)0^^). 

5  Implementation  and  Evaluation 

This  section  reports  an  experimental  evaluation  of  the  precis  algorithm.  All  measurements 
were  made  on  a  2.67GHz  Intel  Xeon  CPU  X5650  running  Debian  GNU/Linux  7  (Linux  kernel 
3.2.48.1.amd64-smp)  on  48GB  RAM,  of  which  at  most  2.2GB  is  used  in  our  experiments.  We  store 
traces  in  a  SQLite  database.  Each  n-ary  predicate  is  represented  by  a  n  + 1  column  table  whose  first 
n  columns  store  arguments  that  make  the  predicate  true  on  the  trace  and  the  last  column  stores  the 
trace  position  where  the  predicate  is  true.  We  index  each  table  by  the  columns  corresponding  to 
input  positions  of  the  predicate.  We  experiment  with  randomly  generated  synthetic  traces.  Given  a 
GMV  policy  and  a  target  trace  length,  at  each  trace  point,  our  synthetic  trace  generator  randomly 
decides  whether  to  generate  a  policy-compliant  action  or  a  policy  violating  action.  For  a  compliant 
action,  it  recursively  traverses  the  syntax  of  the  policy  and  creates  trace  actions  to  satisfy  the 
policy.  Disjunctive  choices  are  resolved  randomly.  Non-compliant  actions  are  handled  dually.  The 
source  code  and  traces  used  in  the  experiments  are  available  from  the  authors’  homepages. 

Our  goal  is  to  demonstrate  that  incrementally  maintaining  summary  structures  for  B-formulas 
can  improve  the  performance  of  policy  compliance  checking.  Our  baseline  for  comparison  is  a  vari¬ 
ant  of  precis  that  does  not  use  any  summary  structures  and,  hence,  checks  temporal  operators 
by  brute  force  scanning.  This  baseline  algorithm  is  very  similar  to  the  reduce  algorithm  of  prior 
work  [4j  and,  indeed,  in  the  sequel  we  refer  to  our  baseline  as  reduce.  For  the  experimental 
results  reported  here,  we  deliberately  hold  traces  in  an  in-memory  SQLite  database.  This  choice 
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Bound=100 


Bound=1000 


Bound=3000 


Bound=oo 


Figure  6:  Experimental  timing  results  (HIPAA)  with  memory-backed  database 


is  conservative;  using  a  disk-backed  database  improves  precis'  performance  relative  to  reduce 
because  reduce  accesses  the  database  more  intensively  (Appendix  |F|  contains  comparative  evalu¬ 
ation  using  a  disk-backed  database  and  confirms  this  claim).  Another  goal  of  our  experiment  is  to 
identify  how  precis  scales  when  larger  summary  structures  must  be  maintained.  Accordingly,  we 
vary  the  upper  bound  hi  in  intervals  [lo,  hi]  in  past  temporal  operators. 

We  experiment  with  two  privacy  policies  that  contain  selected  clauses  of  HIPAA  and  GLBA, 
respectively.  As  precis  and  reduce  check  compliance  of  non-B-formulas  similarly,  to  demon¬ 
strate  the  utility  of  building  summary  structures,  we  ensure  that  the  policies  contain  B-f  ormulas 
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Algorithms 

Incomplete  states 
allowed? 

Mode  of  operation 

Summary  structures  (past 
formulas) 

Summary  structures  (fu¬ 
ture  formulas) 

precis 

no 

online 

yes 

no 

reduce  [4] 

yes 

offline 

no 

no 

Chomicki  8 

Krukow  et  aT. 

1 

?] 

no 

online 

yes 

no 

Bauer  et  al.  11 

yes 

online 

yes 

no 

Basin  et  al. 

m 

no 

online 

yes 

yes 

Basin  et  al. 

6 

yes 

online 

yes 

yes 

Bauer  et  al. 

19 

no 

online 

(automata)* 

(automata)* 

Table  1:  Comparison  of  design  choices  in  precis  and  prior  work  using  first-order  temporal  logic  for  privacy 
compliance.  *Automata-based  approaches  have  no  explicit  notion  of  summary  structures. 


(in  our  HIPAA  policy,  7  out  of  8  past  temporal  formulas  are  B-formulas;  for  GLBA  the  number 
is  4  out  of  9).  Appendix  |E]  lists  the  policies  we  used.  Figure  [6]  show  our  evaluation  times  for  the 
HIPAA  privacy  policy  for  the  following  upper  bounds  on  the  past  temporal  operators:  100,  1000, 
3000,  and  oo.  Points  along  the  x-axis  are  the  size  of  the  trace  and  also  the  number  of  privacy-critical 
events  checked.  The  y-axis  represents  the  average  monitoring  time  per  event.  We  plot  four  curves 
for  each  bound:  (1)  The  time  taken  by  precis,  (2)  The  time  taken  by  reduce,  (3)  The  time 
spent  by  precis  in  building  and  accessing  summary  structures  for  B-formulas,  and  (4)  The 
time  spent  by  reduce  in  evaluating  B-formulas.  For  all  trace  positions  i  £  N,  T;+ i  —  r*  =  1. 

The  difference  between  (1)  and  (3),  and  (2)  and  (4)  is  similar  at  all  trace  lengths  because  it  is  the 
time  spent  on  non-buildable  parts  of  the  policy,  which  is  similar  in  precis  and  reduce.  For  the 
policy  considered  here,  reduce  spends  most  time  on  B-formulas,  so  construction  of  summary 
structures  improves  performance.  For  trace  lengths  greater  than  the  bound,  the  curves  flatten 
out,  as  expected.  As  the  bound  increases,  the  average  execution  time  for  reduce  increases  as  the 
algorithm  has  to  look  back  further  on  the  trace,  and  so  does  the  relative  advantage  of  precis. 
Overall,  precis  achieves  a  speedup  up  of  2.5x-6.5x  over  reduce  after  the  curves  flatten  out  in 
the  HIPAA  policy.  The  results  for  GLBA,  not  shown  here  but  presented  in  Appendix [F]  are  similar, 
with  speedups  of  1.25x  to  1.5x.  The  technical  report  also  describes  the  amount  of  memory  needed 
to  store  summary  structures  in  precis.  Briefly,  this  number  grows  proportional  to  the  minimum 
of  trace  length  and  policy  bound.  The  maximum  we  observe  (for  trace  length  13000  and  bound  oo) 
is  2.2  GB,  which  is  very  reasonable.  This  can  be  further  improved  by  compression. 


6  Related  Work 


Runtime  monitoring  of  propositional  linear  temporal  logic  (pLTL)  formulas  [20],  regular  expressions, 
finite  automata,  and  other  equivalent  variants  has  been  studied  in  literature  extensively  |21-47 


However,  pLTL  and  its  variants  are  not  sufficient  to  capture  the  privacy  requirements  of  legislation 
like  HIPAA  and  GLBA.  To  address  this  limitation,  many  logics  and  languages  have  been  proposed 
for  specifying  privacy  policies.  Some  examples  are  P3P  48  49],  EPAL  [50 
1 52] ,  LPU  53 ,54],  past-only  fragment  of  first-order  temporal  logic  (FOTL)  [10 
pLogic  [56],  PrivacyLFP  |12j,  MFOTL  [5-7],  the  guarded  fragment  of  first-order  logic  with  explicit 
time  [4],  and  P-RBAC  [57] .  Our  policy  language,  QMV,  is  more  expressive  than  many  existing 

EPAL 
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Privacy  APIs 
predLTL  [55 


policy  languages  such  as  LPU  53, 54  ,  P3P  [48 , 49 


50,51  ,  and  P-RBAC  57 


In  Table  [lj  we  summarize  design  choices  in  precis  and  other  existing  work  on  privacy  policy 
compliance  checking  using  first-order  temporal  logics.  The  column  “Incomplete  states  allowed?” 
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indicates  whether  the  work  can  handle  some  form  of  incompleteness  in  observation  about  states. 
Our  own  prior  work  |4|  presents  the  algorithm  reduce  that  checks  compliance  of  a  mode-checked 
fragment  of  FOL  policies  with  respect  to  potentially  incomplete  logs.  This  paper  makes  the  mode 
check  tinre-aware  and  adds  summary  structures  to  reduce,  but  we  assume  that  our  event  traces 
have  complete  information  in  all  observed  states. 

Bauer  et  al.  1 1 1 1  present  a  compliance-checking  algorithm  for  the  (non- metric)  past  fragment  of 
FOTL.  QMV  can  handle  both  past  and  future  (metric)  temporal  operators.  However,  Bauer  et  al. 
allow  counting  operators,  arbitrary  computable  functions,  and  partial  observability  of  events,  which 
we  do  not  allow.  They  allow  a  somewhat  simplified  guarded  universal  quantification  where  the  guard 
is  a  single  predicate.  In  Q. MV,  we  allow  the  guard  of  the  universal  quantification  to  be  a  complex 
QMV  formula.  For  instance,  the  following  formula  cannot  be  expressed  in  the  language  proposed 
by  Bauer  et  al.  but  QM.V  mode  checks  it:  \/x,  y.  (q(x+,  y+)  S  p(x_,  y~))  — >  r (x+,y+).  Moreover, 
Bauer  et  al.  only  consider  closed  formulas  and  also  assume  that  each  predicate  argument  position 
is  output.  We  do  not  insist  on  these  restrictions.  In  further  development,  Bauer  et  al.  1 19 1 ,  propose 
an  automata-based,  incomplete  monitoring  algorithm  for  a  fragment  of  FOTL  called  LTLT  ^  They 
consider  non-safety  policies  (unbounded  future  operators),  which  we  do  not  consider. 

Basin  et  al.  [5|  present  a  runtime  monitoring  algorithm  for  a  fragment  of  MFOTL.  Our  sum¬ 
mary  structures  are  directly  inspired  by  this  work  and  the  work  of  Chomicki  [8,  9|.  We  improve 
expressiveness  through  the  possibility  of  brute  force  search  similar  to  |4|,  when  subformulas  are  not 
amenable  to  summarization.  Basin  et  al.  build  summary  structures  for  future  operators,  which  we 
do  not  (such  structures  can  be  added  to  our  monitoring  algorithm).  In  subsequent  work,  Basin  et 
al.  [6]  extend  their  runtime  monitoring  algorithm  to  handle  incomplete  logs  and  inconsistent  logs 
using  a  three-valued  logic,  which  we  do  not  consider.  In  more  recent  work,  Basin  et  al.  [7j  extend 
the  monitoring  algorithm  to  handle  aggregation  operators  and  function  symbols,  which  QMV  does 
not  include.  These  extensions  are  orthogonal  to  our  work. 

Our  temporal  mode  check  directly  extends  mode  checking  from  |4|  by  adding  time-sensitivity, 
although  the  setting  is  different —  [4]  is  based  on  first-order  logic  with  an  explicit  theory  of  linear 
time  whereas  we  work  with  MFOTL.  The  added  tinre-sensitivity  allows  us  to  classify  subformulas 
into  those  that  can  be  summarized  and  those  that  must  be  brute  forced.  Some  prior  work,  e.g.  [5]- 
11  ,  is  based  on  the  safe-range  check  instead  of  the  mode  check.  The  safe-range  check  is  less 
expressive  than  a  mode  check.  For  example,  the  safe-range  check  does  not  accept  the  formula 
q(x+ ,y+ ,  z~)  S  p(x~ ,y~),  but  our  temporal  mode  check  does  (however,  the  safe-range  check  will 
accept  the  formula  q (x~  ,y~ ,  z~ )  S  p (x~,y~)).  More  recent  work  [7]  uses  a  static  check  intermediate 
in  expressiveness  between  the  safe-range  check  and  a  full-blown  mode  check. 


7  Conclusion 

We  have  presented  a  privacy  policy  compliance-checking  algorithm  for  a  fragment  of  MFOTL. 
The  fragment  is  characterized  by  a  novel  temporal  mode-check,  which,  like  a  conventional  mode- 
check,  ensures  that  only  finitely  many  instantiations  of  quantifiers  are  tested  but  is,  additionally, 
tinre-aware  and  can  determine  which  subformulas  of  the  policy  are  amenable  to  construction  of 
summary  structures.  Using  information  from  the  temporal  mode-check,  our  algorithm  precis 
performs  best-effort  runtime  monitoring,  falling  back  to  brute  force  search  when  summary  structures 
cannot  be  constructed.  Empirical  evaluation  shows  that  summary  structures  improve  performance 
significantly,  compared  to  a  baseline  without  them. 
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Appendix 

A  Temporal  Mode  Checking  I~b  and  b  Judgements 

In  this  section,  we  present  the  formal  rules  for  the  temporal  mode  checking  I~b  and  h  judgement. 
The  complete  set  of  rules  for  I~b  judgements  are  shown  in  Figure  [7] 

The  complete  set  of  rules  for  h  judgements  are  shown  in  Figures[8j  [9j  and  IT  Note  that,  we  do 
not  present  the  cases  of  □,  □,  0,  and  O.  The  mode  checking  judgements  for  □  and  ©  are  exactly 
like  the  <$>  case.  On  the  other  hand,  the  mode  checking  judgements  for  □  and  O  are  exactly  like 
the  O  case. 


B  Definition  of  ips 

We  present  the  complete  definition  of  ips  in  Figure  [TT| 

C  Updating  Summary  Structures 

In  this  section,  we  present  how  to  update  the  summary  structure  for  the  current  trace  position  if 
we  are  given  the  summary  structures  for  the  previous  trace  position. 

C.l  Summary  Structure  For  ©j <p 

We  now  explain  how  to  incrementally  maintain  the  structure  for  buildable  temporal  sub-formula 
of  form  Q[i0^hi\^P-  For  each  such  formula,  we  have  two  summary  structures  T  and  M.  We  denote 
the  summary  structures  at  execution  position  i  as  follows:  TP  and  ML  Each  element  of  TP  is 
a  substitution  a,  which  signifies  that  the  formula  ip  was  true  with  substitution  a  at  execution 
position  i.  Each  element  of  M*  is  a  substitution  o  which  signifies  that  the  formula  is  true 

in  the  current  execution  position  i  with  substitution  a.  We  now  show  how  can  we  incrementally 
maintain  the  structure  TP  and  M*  provided  that  we  have  access  to  the  structures  Tb*-1)  and  Ml*-1). 
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XC  l“B  V  ■  XO 


XC  l“B  T  :  {} 


[. B-TRUE ] 


XC  t“B  -L  :  {} 


[B-FALSE] 


Vk  €  I{p).fv(tk)  C  xc  XO  =  1J  fv(tj) 

ieo(p) 

XC  l“B  p(*l,  ■■■An)  ■  XO 


[B-PRE] 


{}  l~B  F2  ■■  Xi  Xi  l~B  Fi  ■  X2  XO  =  Xi  \B-SINCE] 

XC  ^B  FI  S  W>2  -  XO 

XC  l~B  fl  ■■  Xl  XC  U  Xl  ^B  V2  ■  X2  XO  =  Xl  U  X2  \B_ANIy\ 
XC  l-B  Fi  A  F2  ■  XO 

XC  l~B  ■■  XT  XC  j~B  F2  ■  X2  XO  =  Xl  n  X2  \B_OB\ 

XC  l“B  Fl  V  (P2  ■  XO 

xr  h  vJ-  \i  \o-\i\{^}  yB_EXISTS\ 
xc  '  B  lx. ip  :  XO 


XC  l~B  Fi  ■  Xl  fv(vi),  fv(tp 2)  g  XC  U  {£}  {•'?}  C  Xl  XC  u  Xl  \~B  F2  ■  X2 

XC  ^B  Vx.(v?i  -S'  ip2)  :  {} 


[B 


{}  l~B  <P  '■  XO 
XC  l“B  :  XO 


[. B-HIST \ 


^ _Hb ^  ‘  X°  [. B-ONCE )  ^  *~B  ^  '  X° 

XC  '  b  On</>  -Xo  XC  '  b  OiV  ■  XO 


Figure  7:  Temporal  mode  checking  he  judgements 


UNIV\ 

[B-LAST] 
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XC,  Xf't  V-  XO 


XC i  Xf  'f  T  :  {} 


[  TRUE] 


XC,XF  'f  _L  :  {} 


[FALSE] 


\/k  e  I(p).fv(tk)  C  (xc  U  xf)  XO  =  1J  fv(tj) 

ieo(p) 

XC i  Xf  I-  p{h,  ■  ■  .,tn)  :  xo 

XC  l~B  p(ti,...,tn)  :  XO  r pRE_2] 
XC,XF  I-  p{tl,.  ■  ■ ,tn )  ■  Xo 


[PRE-1] 


XC  l~B  <gl  ■■  Xl  XC  U  Xl,XF  I-  <P2  ■  X2  XO  =  XT  U  X2  \AND_j 
XC,  XF  I-  <P1  a  992  :  XO 


XC,  XF  I-  Fi  ■  Xl  XC,  XF  u  Xl  l~  y?2  :  X2  XO  =  Xl  U  Xl  \AND_2] 
XC,  XF  t-  <P1  a  992  :  xo 

XC,  XF  I-  ¥T  :  Xl  XC  l~B  El  ■  X2  XO  =  Xl  U  X2  \AND_3-\ 

XC,  XF  *F  991  A  <p2  :  xo 

XC  l~B  VT  :  Xl  XC  U  Xl  ¥?2  :  X2  Xo  =  Xl  U  X2  r 

Xc,  Xf  Pi  ■  Xo  [ 

XC  l~B  y»i  :  Xl  XC,  XF  I-  L>2  :  X2  Xo  =  Xl  H  X2  \qR_j\ 

XC,  XF  <Pi  V  ip2  :  XO 

XC,  XF  I-  Fl  :  Xl  XC,  XF^  2  :  X2  XO  =  Xl  n  X2 
XC,  XF  I-  <^i  v  ip2  :  XO 

XC,  Xf  l~  jgi  :  Xl  XC  l~B  ^2  :  X2  XO  =  Xl  H  X2 

XC,  XF  1-  <£i  V  <P2  :  XO 

XC  l~B  Fi  ■  Xl  XC  l~B  F2  :  X2  XO  =  Xl  H  X2 
XC,  XF  I-  pi  V  ip2  :  XO 


Figure  8:  Temporal  mode  checking  b  judgements  (base  cases  and  logical  connective  cases) 
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xc,xf  F  <p  ■  xo 


xc,  xf  l-  v  ■  xi  xo  =  xi  \  {•'?} 


XC,  XF  F  3x.<p  :  xo 
XC  t“B  <£  :  Xi  XO  =  Xi  \  {£} 


\EXIST-1 1 


[. EXIST-2 ] 


XC ,  Xf  F  ^x.p  :  xo 

XC,  XF  I-  VI  ■  XL  {£}  C  Xi  fv(tp  1)  c  xc  U  xf  U  {x}  fv(<p2)  C  (xc  U  Xi  u  xf)  XC,  xf  u  Xi  F  V2  ■  X2 


XC,XF  I-  Vx.(<y9i  -»  p2)  :  {} 

XC  l-B  Pi  :  Xi  {£}  C  Xi  fv(<pi)  c  xc  u  {x}  fv(p2)  C  (xc  u  X'l  u  xf)  XC  U  XI,  xf  F  P2  :  X2 


UNIV 


XC,  Xf  I-  Vf.(<^i  -A  </?2)  :  {} 

XC  FB  Pi  :  Xi  {£}  C  xi  Mpi)  C  xc  U  {x}  /u(p2)  C  (xc  U  Xi)  XC  U  Xi  FB  P>2  :  X2 


UNIV- 2} 


XC ,  Xf  F  Vx.(pi  ->  p2)  :  {} 

XC,  XF  I-  Pi  :  XL  {£}  C  xi  Mp l)  C  xc  U  XF  U  {x}  /u(p2)  C  XC  XC  FB  P2  :  X2 


[UNIV- 3] 


XC ,  Xf  I-  Vx.(p  1  -»  p2)  :  {} 

Figure  9:  Temporal  mode  checking  h  judgements  (quantifier  cases) 


UNIV- 4] 


We  have  T*  <—  ips(£,  i,  r,  n,  •,  p).  Once  we  have  updated  TP,  we  can  update  M*  in  the  following 
way. 


W 


0  when  i  =  0 

{a  |  a  G  IfF-1)  A  (Zo  <  Tj  —  <  hi)}  when  i  >  0 


C.2  Summary  Structure  For  <$>ip 

We  now  explain  how  to  incrementally  maintain  the  structure  for  buildable  temporal  sub-formula 
of  form  <$>[;„, hi]  P-  For  each  such  formula,  we  have  two  summary  structures  P  and  M.  We  denote 
the  summary  structures  at  execution  position  i  as  follows:  P*  and  Mb  Each  element  of  P*  is  a  pair 
of  form  {a,  k)  which  signifies  that  the  formula  p  was  true  with  substitution  a  at  execution  position 
k.  Each  element  of  M*  is  a  substitution  a  which  signifies  that  the  formula  <$>[£0,hi]P  is  true  in  the 
current  execution  position  i  with  substitution  a.  We  now  show  how  can  we  incrementally  maintain 
the  structure  P*  and  M*  provided  that  we  have  access  to  the  structures  pF^1)  and  mF_ 1  -1 .  Note 
that,  we  assume  both  pl_1)  and  to  be  empty. 

£  -e-  ips (C,i,T,n,»,ip) 

Sa  4 —  { (cr,  i)  |  (cr,  i)  S  S  AO  <  hi} 

Sr  <—  {(a,  k)\(a,  k)  G  ph_1)  A  Tj  —  Tfc  >  hi} 

r  «-  (P^-1)  \  Sr)  u  Sa 

R*  ■(—  {<j|3fc.(<7,  k)  G  P*  A  Ti  —  Tk  G  [lo,  hi]} 

The  set  £  contains  all  the  substitutions  for  which  tp  holds  true  in  execution  position  i.  The  set 
Sa  contains  all  the  new  pairs  of  (a,  i)  denoting  that  p  holds  with  substitution  er  at  i.  The  set 
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XC,  XF'r  V-XO 


{}  l~B  L>2  :  Xi  XIiUc^Xf)  I-  <P1  ■  X2  XO=Xi 
XC,Xf  1“  ¥>i«Si¥>2  :  Xo 

{},XC  U  XF  I-  V2  ■  Xl  {},  XC  U  XF  U  Xi  l~  Ti  :  X2  XO  =  Xi 
XC,XF  1“  <PiSi<p2  ■  XO 

{},  XC  U  XF  I-  <£2  :  Xl  {}  l-B  tpi  ■  X2  XO  =  Xi 


[SINCE- 1] 

[SINCE- 2] 


XC,Xf  1“  <PlSl<P2  ■  Xo 

{}  l~B  L>2  ■  Xl  Xl  l~B  <fl  :  X2  XO  =  Xl 

XCt  Xf  1“  :  Xo 

XC  l~B  <P2  ■  Xl  XC,  XF  u  Xl  l~  <Pi  :  X2  XO  =  Xi 
XCi  Xf  'c  <piUiip2  :  Xo 

XC  l“B  L>2  :  Xl  XC  l“B  Ti  '■  X2  XO  =  Xl 


[SINCE- 3} 
[, SINCE-4 } 

UNTIL- 1\ 


XC,XF  V1U1V2  ■■  xo 

XCi  Xf  l~  T2  :  Xi  XC  l~B  Ti  ■  X2  XO  =  Xi 
XCi  Xf  1“  Ti^W2  :  XO 

XCi  XF  l~  V?2  :  Xl  XC;  X-F  U  Xl  l~  921  :  X2  Xo  =  Xl 
XCiXF  1“  V1U1V2  ■  XO 

{},  XC  U  xf  'f  T  '■  Xi  XO  =  Xi 


UNTIL-2] 

[ UNTIL-3 } 
UNTIL-4] 


XCiXF  t-  Oi¥>  ■  XO 
{}  t“B  T  '■  Xi  XO  =  Xi 


ONCE-1] 


XCi  XF  I-  ■  XO 

XCiXF^T-X  1  XO=Xi 


ONCE- 2} 


XCiXF  I-  :  XO 

XO  l~B  T  '■  Xl  XO  =  Xl 

xciXf  I-  Onp  '■  xo 


[EVENTUALLY- 1\ 
[. EVENTUALLY-2 \ 


Figure  10:  Temporal  mode  checking  b  judgements  (temporal  operator  cases) 
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ips(£,  i,T,  7T,  (Tin,  T) 

ips(£)  i,T,  7T,  (Tin,  J_) 

ips(£,  i,  T,  7 r,  (Tin,  p(ii,  •  •  •  ,  in)) 
ips(£,  i,  T,  7 r,  crin,  V  <^2) 

ips(£,  i,  r,  7 r,  crin,  (^  A  y>2) 
ips(£,z,r,7r,  crin,3x.^) 


{^in} 

{} 

sat(£, i, r,  p(ii, .  .  .  ,  in),  crin) 

ips(£,  i,  r,  7 r,  crin,  y>i)  (J  ips(£,  i,  n,  ain,  ip2) 

U(Tc£ips(£,z,r,7r,(Tin,<pi)  ips(£)  *>  tj  7r)  °c>  W) 

ips(£,i,T,7T,<Tin,^)  \  {£} 


ips(£,  i,  T,  7T,  (Tin, 

->  y?2)) 


ips(£,«,r,7r,  crin,a5i/3) 


ips(£,  i,  t,  7r ,  crin,  a  5 1/3) 


ips(£,«,r,7r,crin,  Qia) 


ips(£,*,T,7r,  crin,  0ia) 


let  Si  g-  ips(£,  i,  r,  7r,  crin,  <^i) 

return  f  {}  if  3crc  G  Ei.(ips(£,  i,  r,  tt,  ctc,  <p2)  =  {}) 

1  {(Tin}  otherwise 

(Ti„  1x1  7r.^l(a«S][/9)(i).R  if  B  G  label(aS  ifi) 

If  B  ^  lcibel(aS  ip) 

let  50  G-  {(a,k)\k  =  maxL((0  <  l  <  i)  A  ((77  —  77)  G  I) 

A(T  G  ±PS(£,  Z,  T ,  7T,  CTin,  /?))} 

'S'fli  G  A  0  G  1} 

Sr2  g-  {IX]ct“  ^  (Tl  13(0-0, fc)  G  50. A;  <  zA 

Vi. (A:  <  l  <  i  -G  ct“  G  ips(£,  i,  r,  7r,  CT0,  </?i))} 
return  5^  U  5/{2 

!(Ti„  n  7r.^4(Qia)(z).K  if  B  G  label(Qia) 
ips(£,z-  l,r,  7r,  CTj„,  a)  if  *  >  1,  Tj  —  T(?:-i)  €  I,  and  B  ^  label(Qia) 
{}  otherwise 


CTi„  N  7r.Vl(Oi(a)(i)-®  if  B  G  label(<$>ia) 

{ct  I  3fc.(A;  <  i  A  T;  -  rt  G  I  A  ct  G  ips(£,  k,  r,  7r,  ct ^n,  a))}  if  B  ^  label(<$> ia) 


ips(£,  i,r,7T,  CTin,  Bl«) 


ips(£,z,r,7r,  CTin,aWi/3) 


ips(£,  i,r,7T,  CTin,  Ol«) 
ips(£,*,r,7r,CTOT,  Oia) 
ips(£,i,T,7r,CTin,Dia) 


J  CTi„  n  7r.^4(Elia)(i).K  if  B  G  ia6ei(Hia) 

1  {ct  |  VA;.(0  <  k  <  i  Art  —  r^GlAffG  ips(£,  A:,  r,  7r,  ct™,  a))}  if  B  ^  label(Eha) 

let  Sp  G-  { (ct.  A:) | A:  =  mini.(i  >  z  A  ((77  —  77)  G  I) 

ACT  G  lps(£,  i,  T,  7T ,  CTi„,  /?))} 

5^  G-  {ct|  (ct ,  *)  G  50  A  0  G  1} 

Sr2  a-  {txiof  ^  ct_l|3(ct0,  A;)  G  Sp.k  ^  iA 

V(z  <  l  <  k).af  G  ips(£,  l,  r,  n,  ap,  a)} 
return  SRl  U  Sr2 

{ct  |  ct  G  ips(£,  i  +  1,  t,  7r,  CTira,  a;)  A  —  77  G  I)} 

{ct  I  3A;.(fc  >  i  Ark  —  n  G  I  A  ct  G  ips(£,  k,  r,  7r,  CTj„,  a))} 

{ct  I  \/k.{k  >  i  Ark  ~  Ti  gIActG  ips(£,  k,  r,  7r,  07„,  a))} 


Figure  11:  The  definition  of  the  ips  function. 


Sr  contains  all  the  pairs  of  form  (ct,  k )  where  </?  was  true  with  substitution  ct  in  k  and  it  violates 
the  interval  constraint  [lo,hi\.  Thus,  we  add  the  new  pairs  and  throw  out  the  old  pairs  from  the 
structure  pb~T  to  get  the  new  structure  P*.  Once  we  have  updated  the  structure  P®,  we  calculate 
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the  structure  R*  by  choosing  a  out  of  pairs  (a,  k )  G  P*  for  which  the  interval  constraint  is  satisfied. 

C.3  Summary  Structure  For  Eh</? 

In  this  section,  we  explain  how  to  incrementally  maintain  the  structure  for  buildable  temporal 
sub- formula  of  form  For  each  such  formula,  we  have  two  summary  structures  H  and  R. 

We  denote  the  summary  structures  at  execution  position  i  as  follows:  HP  and  R*.  Each  element 
of  HI*  is  a  triple  of  form  (cr,l,r)  which  signifies  that  the  formula  cp  was  true  with  substitution  a 
from  execution  position  l  to  r,  inclusive.  Each  element  of  R*  is  a  substitution  a  which  signifies  that 
the  formula  B  [z0,/?.*] ^  is  true  in  the  current  execution  position  i  with  substitution  a.  We  now  show 
how  can  we  incrementally  maintain  the  structure  HP  and  R*  provided  that  we  have  access  to  the 
structures  H^1)  and  R^*-1).  Note  that,  we  assume  both  EI^  1  -1  and  R^  1  -1  to  be  empty. 

In  our  construction,  E  denotes  the  set  of  substitutions  for  which  ip  holds  in  the  current  execution 
position  i.  The  construction  first  checks  to  see  whether  a  current  substitution  can  extend  the  range 
of  an  existing  triple  from  (cr,l,i  —  1)  G  Hlb^1)  to  (o',l,i)  where  a 1  >  a.  If  yes,  those  extended 
tuples  are  added  in  the  set  ^p^ate-  Then  we  add  each  substitution  which  does  not  extend  an 
existing  triple,  to  start  a  new  triple  ( a ,  i ,  i )  which  signifies  that  <p  holds  for  a  in  position  i.  They 
are  added  to  the  set  S'new-  Next  we  get  all  existing  triples  which  cannot  be  extended  with  any 
new  substitution.  They  are  added  to  the  set  Scarry-over-  Finally,  we  throw  out  those  triples  whose 
right  end  does  not  satisfy  the  interval  constraint.  They  are  stored  in  the  set  Sremove-  We  then 
add  all  the  triples  either  in  Sue w,  ^update’  or  Scarry-over  and  remove  all  the  triples  in  Sremove- 
The  result  is  stored  in  HI*.  Once  HI*  has  been  calculated,  we  then  show  how  to  calculate  the  result 
set  R*. 

E  t—  ips(£,  i,T,ir,»,<p) 

Snew  t—  {(cr,  i,  i)  |  u  G  S  A  V(cti,  Z,  i  —  1)  G  Hlb_1l.cr  m  cti  /  cr} 

'-’update  {(^i  1X1  &2,  l,  i)  \  €  E  A  (cr2,l,i  -  1)  G  E^*-1)  A  X  a2  /  cr±} 

Scarry-over  t—  {(<t,  l,  r)  \  (a,  l,  r)  G  H^*'1)  a  ( r  <  (i  -  1)V 

(r  =  i  —  1  A  Vcri  G  E .a  x  <ji  /  u))} 

t—  Snew  U  ^update  U  Scarry-over 

<—  {(a,  l,  r)  |  (<7,  l,r)  &  T  A  (t*  —  Tr )  >  hi} 

t—  T\  Sremove 
<—  minPosition(r,  i,  lo,  hi) 

maxPosition(r,  i,  lo,  hi) 

<—  {a  |  tl  7^  —  1  A  th  —  1  A  31,  r.((a,  l,  r)  G  HI*  A  {l  <  tl  <  th  <  r))} 

For  calculating  M*,  we  use  two  auxiliary  utility  functions,  minPosition  and  maxPosition. 
The  function  minPosition  (resp.,  maxPosition)  takes  as  input  the  time  stamp  sequence  r,  the 
current  trace  position  i,  the  lower  bound  of  the  interval  lo  and  the  upper  bound  of  the  interval 
hi.  The  function  minPosition  (resp.,  maxPosition)  returns  the  minimum  (resp.,  maximum) 
position  tp  such  that  it  satisfies  0  <  tp  <  i  and  lo  <  r*  —  Ttp  <  hi.  If  such  positions  are  not  found, 
both  functions  return  -1. 

Let  us  consider  tl  to  be  the  result  of  the  minPosition  function  whereas  th  to  be  the  result  of 
the  maxPosition  function.  To  calculate  the  substitutions  in  M*,  we  choose  the  triples  (a,l,r)  in 


T 

•Sremove 

HP 

tl 

th 
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HP  that  satisfies  the  following  constraint:  (l  <  tl  <  th  <  r). 


C.4  Summary  Structure  For  a  in  a5i/3 


In  this  section,  we  will  show  how  the  structure  §Q  at  i  is  updated.  We  first  use  ips  to  calculate 
a  set  of  substitutions  (Sa)  that  satisfy  the  following  constraints:  every  substitution  a'  in  T,a  (1) 
extends  a  substitution  <r,  which  makes  /3  true  at  a  previous  time  point  k  and  (2)  makes  aa'  true 
at  position  i.  Next,  we  identify  all  substitutions  a  such  that  aa  is  true  at  position  i  and  it  is  not 
the  case  that  aa  has  been  true  since  an  earlier  time  point  k  till  i.  In  other  words,  i  is  the  first 
position,  from  which  till  the  current  time  point,  aa  has  been  true.  We  store  them  in  the  set  Snew. 
Then  we  collect  pairs  (aa,  k)  from  ^  such  that  a  holds  true  at  i.  We  then  compute  the  join  of 
the  substitutions  with  which  a  holds  true  in  the  current  state  with  aa.  These  pairs  are  stored  in 
Update-  Computing  the  join  ensures  that  a  has  been  true  with  the  same  substitution.  In  the  case 
where  a(x,y)  =  A(x~)  S  \B(y~),  the  structure  for  a  needs  to  record  substitutions  for  both  x  and 
y ,  even  though  sometimes  only  substitutions  for  y  is  available.  If  we  omit  substitutions  for  x,  we 
could  run  into  situations  where  a(  1,  2)  is  true  at  i,  a(2,  2)  at  i  +  1,  and  we  mistakenly  think  that 
a(x,y)  has  been  true  from  i  to  i  +  1  with  y  instantiated  to  2.  Recording  substitutions  for  both  x 
and  y,  and  taking  a  join  will  rule  out  this  case.  Finally  the  new  summary  structure  is  the  union 
of  the  two  sets.  Note  that,  we  assume  1  to  be  empty. 

Ea  •(-  |J  ips  (C,i,T,Tv,(T,a) 


'-'new 
Su 


pdate 


■<— 

■<— 

■<— 


{ <cr,  i)  |  a  G  £a  A  V(<ra,  k)  £  Sa_1).(a  m  aa  ±  a)} 

{(a  m  aa,k)  |  ( oa,k )  £  A(re£aA<TM<7a^  a±_} 

Snew  U  (^update 


D  Correctness  of  precis 

In  this  section,  we  prove  the  correctness  of  our  algorithm  precis  (Theorem  [TJ.  However,  we  first 
prove  some  auxiliary  lemmas  which  will  be  used  to  prove  the  Theorem  [T}  We  also  introduce  the 
readers  with  our  different  data  structures  (state  7 r). 

D.l  Properties  of  h  and  I~b  Judgement 

We  start  by  defining  what  it  means  for  a  policy  formula  ip  to  be  well-moded  and  then  define  when 
do  we  call  <p  a  B-formula. 

Definition  1  (Well-moded  formulas).  A  formula  ip  is  well-moded  with  respect  to  a  given  xc  and 
Xf  if  we  can  derive  the  following  judgement  for  ip:  xc ,  Xf  h  '■  XO  where  xo  ^ 

Definition  2  (B-formula).  Given  xc  and  xf,  for  all  formulas  ip  such  that  XCiXf  b  <P  ■  Xo 
and  xo  Q  we  say  ip  is  a  B-formula  (or,  B  £  label(ip))  iff  the  following  judgement  can  be 

derived  for  ip:  xc  ^~B  P>  '■  Xo'  where  xo  ^  fvd)-  In  the  same  vein,  if  a  formula  ip  does  not  satisfy 
the  above,  we  write  B  fL  label  (ip)  or  ip  is  not  a  B-formula. 

Lemma  1  (Upper  Bound  of  I~b).  For  all  ip,  xc  and  xo >  if  Xc^~B  f  ■  Xo,  then  xo  Q  fv(F)- 
Proof.  Induction  on  the  derivation  of  xc  I~b  P>  '■  XO- 
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Cases  |B-TRUE|,  |B-FALSE 


Then  p  =  T  or  p  =  _L,  xo  =  {}  and  fv(p)  =  {}.  Trivially  xo  Q  fv(p). 

Case  [B-PRE|. 

and  fv(  p(tu...,tn))  =  Uje{i,...,n}  M*i) 


Then  p  =  p(*i, . . . ,  tn),  xo  =  Ujeo(p)  MAi)  by 
by  definition.  Thus  trivially  xo  fv{p)- 


B-PRE 


Case  B-SINCE 


{}  l~B  <f2  ■  Xl  Xl  EB  Pi  :  X2  XO  =  Xl 

Then  <p  =  p\  S  \p2  and  xc  EB  Pi  $  ip2  :  XO  ■  By  inductive  hypothesis, 

Xl  C  fv(p2).  Thus  xo  =  Xl  C  fv(p2)  C  fv(pi)  U  fv(p2)  =  fv(p). 


Case  |B-AND|. 

XC  l~B  Pi  '■  Xl  XC  U  Xl  l~B  P2  '■  X2  Xo  =  Xl  U  X2 
Then  p  =  p\  A  <^2  and  xc  EB  Pi  Fp2  '■  Xo  ■  By  inductive 

hypothesis,  xi  Q  fv(pi)  and  X2  Q  fv(p2).  Thus  XO  =  Xl  U  X2  Q  fv(p  1)  U  fv(p2)  =  fv(p). 


Case 


B-OR 


Xc  l~B  Pi  '■  Xl  Xc  l~B  P2  ■  X2  XO  =  Xl  n  X2 
Then  p  =  <p\\/  p2  and  xc  EB  Pi  V  p2  '■  XO  ■  By  inductive  hy¬ 

pothesis,  xi  C  fv(pi)  and  X2  C  fv(p2).  Thus  xo  =  Xl  n  X2  C  fv(p  1)  n  fv(p2)  C  fv(pi)  U 
fv(p  2)  =  fv{p). 


Case  [B-EXISTS]. 

XO  EB  P  '■  Xl  XO  =  Xl  \  {%} 

Then  p  =  3x.p  and  xc  EB  3x.p  :  xo  •  By  inductive  hypothesis,  xi  Q  fv(pi)-  By 
set  properties,  xo  =  Xl  \  {^}  Q  fv(p  1)  \  {£}  =  fv(3x.p). 


□ 


Lemma  2  (Upper  Bound  of  h).  For  all  p,  xc ,  Xf  and  xo ,  if  XC,Xf  E  p  :  xo ,  then  xo  Q  fv(p)- 

Proof.  Induction  on  the  derivation  of  xc,  Xf  E  p  :  xo ■  Most  cases  are  equivalent  to  Lemma [TJ  We 
again  show  select  cases. 


Case  [UNIY-3],  [UNIV-2|,  [UNIV-1],  |UNIV-4|. 

Then  xo  =  {},  which  is  trivially  a  subset  of  the  free  variables  of  any  formula. 


Case 


UNTIL- 1|. 


XO  Eb  P2  ■■  Xl  XC,  XF  UXlEyi:  X2 
Then  p  =  px  U  ip2  and  XC,  Xf  E  p\  U  ip2  :  xo 

fv(p2).  Then  xo  =  Xi  C  fv(p2)  C  fv{p  1)  U  fv(p2)  =  fv(p). 


XO  =  Xi 

.  By  Lemma  1 


Xl  c 


Case  |UNTIL-3  . 

XC,  Xf  E  p2  :  Xi  XC  Eb  Pi  :  X2  Xo  =  Xi 

Then  p  =  p\U \p2  and  XCiXf  E  p\U  \p2  '■  Xo  •  By  inductive  hypothesis, 

Xl  C  fv(p2).  Then  xo  =  Xl  Q  fv(p 2)  Q  fv(pi)  U  fv(p2)  =  fv(p). 
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□ 


Lemma  3  (Buildable  temporal  subformula).  For  a  given  xc  and  a  formula  p,  if  xc  ^~B  P  ■  XO 
holds,  then  for  all  sub-formula  p  of  p,  there  exists  a  x'c  for  which  the  judgment  x'c  ^~b  P  ■  x'o 
holds. 


Proof.  The  proof  proceeds  by  doing  an  induction  on  the  derivation  of  the  hg  judgements.  □ 

Lemma  4  (A  of  buildable  temporal  formula).  For  all  formula  p  such  that  there  exists  a  xc  f°r 
which  xc  \~B  P  ■  Xo  holds,  then  A(p)  =  0. 

Proof.  The  proof  proceeds  by  doing  an  induction  on  the  structure  of  p  and  case  analysis  of  the  A 
function.  □ 


Lemma  5  (Monotonicity  of  I~b  judgement).  For  a  given  xc  and  a  formula  p,  if  xc  \~B  P  '■  Xo 
can  be  derived,  then  for  any  x'c  such  that  x'c  2*  XC,  x'c  ^B  p  ■  XO  can  be  derived. 

Proof.  We  do  induction  on  the  derivation  of  the  Kb  judgements.  We  show  select  cases  and  the 
other  cases  are  similar. 


Cases 


B-TRUE|, 


B-FALSE 


We  can  see  from  the  derivation  of  xc  Pb  T  :  {}  and  xc  Pb  -L  ;  {}  that  the  premise  of  the 
judgements  do  not  use  xc,  thus  we  can  trivially  write  x'c  T  :  0  and  x'c  Pb  -L  :  0,  without 
changing  the  derivation. 


Case 


B-PRE 


From  the  first  premise  of  the  judgement,  it  is  required  that  \/k  E  I(p).fv(t}f)  C  xc ■  We 
know  x'c  2  XC-  Thus,  we  can  write  VTc  E  I(p).fv(tk)  C  x'c-  Then  we  get  the  judgement 
Xc  p(h,...,tn)  :  XO- 


Case  [B-SINCE|. 

{}  hB  P2  ■  Xl 

Then 


Xl  Pb  pi  :  X2  XO  =  Xl 


XC  Pb  Pi  S 1P2  '■  Xo  ■  We  can  see  that  the  premises  do  not  use 

Xc-  Thus,  we  can  replace  xc  with  x'c  and  can  derive  the  judgement  x’c  Pi  <S  \P2  '■  Xo- 


Case 


B-AND 


XC  l~B  Pi  :  Xl  XC  U  Xl  l~B  P2  ■  X2  XO  =  Xl  U  X2 
Then  xc  I“b  Pi  A  p2  :  xo  ■  We  see  that  it  is  required  that 

XC  t“B  Pi  ■  Xi  and  XC  U  Xl  I“b  P2  '■  X'2-  From  I.H.,  we  can  write  x'c  ^B  Pi  ■  Xl  and 
Xc  U  xi  I~b  P2  ■  Xi  as  (x'c  U  Xi)  2  (xc  U  xi)-  Thus,  enabling  us  to  derive  the  judgement 
Xc  ^B  Pi /\  P2  :  XO- 


Case 


B-OR 


Xc  l~B  <Pl  ■  Xl  Xc  l~B  P2  :  X2  XO  =  Xl  n  X2 
Then  xc  I“b  Pi  V  P2  :  Xo  ■  We  see  that  it  is  required  that  xc  I“b 

pi  :  xi  and  XC  I~b  P2  ■  X'2-  From  I.H.,  we  can  write  x'c  ^B  Pi  ■  Xi  and  x'c  ^B  P2  ■  X2-  Thus, 
enabling  us  to  derive  the  judgement  x'c  ^B  Pi  V  P2  ■  Xo- 
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B-EXISTS  . 

XC  Fb  P  ■  Xl  XO  =  X  1  \  M 


Case 


Then  xc  Fb  ^x.f  :  xo  ■  We  see  that  it  is  required  that  XC  Fb  P  '■  Xl-  From  I.H., 

we  can  write  x'c  Fb  f  ■  Xi-  Thus,  enabling  us  to  derive  the  judgment  x'c  Fb:  ^x-fXo- 


□ 


Lemma  6  (Invariance  of  Fb)-  Given  xc  and  Xf,  for  all  formulas  f  of  form  f\  S  if  2,  Qif,  E\if, 
or  Qif,  if  XC  \~B  f  '■  Xo  can  be  derived  then  {}  \~b  f  '■  x'o  can  be  derived. 


Proof.  The  proof  follows  from  the  judgements  |B-SINCE|,  |B-ONCE  ,  B-HIST  ,  and  |B-LAST 
respectively,  in  Figure[7j  None  of  the  premises  of  the  judgements  B-SINCE  ,  |B-ONCE  ,  [B-HIST 


and  B-LAST]  use  xc-  We  can  thus  replace  xc  with  {}  without  changing  the  judgement  result.  □ 


Lemma  7  (Invariance  of  F).  For  all  formula  f  and  for  some  given  xc,  if  XC  \~B  f  '■  XO  holds  then 
XC,  {}  F  f  :  xo  holds. 


Proof.  Induction  on  the  derivation  of  the  Fb  and  F  judgements. 


□ 


Lemma  8  (Monotonicity  of  F).  Given  xc,  Xf,  and  a  formula  f,  if  XC,Xf  F  f  :  xo  can  be 
derived,  then  for  any  x'c ,  Xf  such  that  xc  f=  Xc  and  Xf  Q  xf,  the  judgement  x'c ,  Xf  F  f  '■  Xo  can 
be  derived. 


Proof.  By  induction  on  the  derivation  of  the  F  judgements.  We  show  select  cases. 


Case  |TRUE|/|FALSE|. 


The  premise  of  the  judgement  neither  uses  xc  nor  Xf-  Thus,  we  can  write  x'c,  Xf  F  T  :  0  and 
Xc,  Xf  F  T  :  0. 


Case 


PRE-2 


From  the  derivation  of  the  judgement,  we  see  that  it  is  required  that  xc  Fb  p(£i>  •  ■  ■ ,  tn)  :  xo- 
In  this  premise  of  the  judgement,  xf  is  not  used.  So,  we  can  easily  replace  xf  with  x'f-  By 
Lemma  0  if  we  have  xc  Fb  P  (h, . . . ,  tn)  :  xo,  we  can  write  x'c  Fb  P  (h,  ■  ■  ■  ,tn)  :  xo-  Thus,  we 
can  derive  the  judgement  x'c , Xf  F  p (t\, ...  ,tn)  :  xo- 


Case 


PRE-1 


From  the  derivation  of  the  judgement,  we  see  that  it  is  required  to  satisfy  Ufce/(p)  -fv(bk) 
{XC  U  xf)-  As  xc  C  x'c  and  Xf  Q  Xf,  we  have  (xc  U  xf)  Q  ( x'c  u  Xf)-  Thus’  we  have 
Xc,x'f  F  P {h,  ■  ■  -,tn)  :  xo- 


Case 


SINCE- 1| 


From  the  derivation  of  the  judgement,  we  see  that  it  is  required  to  satisfy  0  Fb  f  :  Xi  and 
Xi,  (xc'Uxf)  F  f\  :  xi-  The  first  premise  of  the  derivation  of  the  judgement  neither  uses  xc  nor 
Xf-  However,  this  is  not  the  case  for  the  second  premise.  We  can  write  (xc'Uxf)  Q  {x'c  U  x'f) 
as  xc  U  x'c  and  Xf  C  x'f-  From  I.H.,  we  have  xi>  (x'c  U  x'f)  F  fi  ■  X2-  We  can  thus  derive 
the  judgement  x'C,  x'f  F  fi  S  if  2  :  Xo- 


The  other  cases  are  similar. 


□ 
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Lemma  9  (Switching  to  h  judgements  from  Kb  judgements).  For  a  given  xc  and  a  formula  p,  if 
Xc  \~B  P  '■  Xo  can  be  derived,  then  for  any  xf,  XC,Xf  1“  P  '■  Xo  can  be  derived. 

Proof.  The  proof  follows  from  Lemma  [7  and|8j  According  to  Lemma  0  if  we  have  xc  ^ b  T  ■  Xo, 
we  can  write  xc,  0  h  p  :  xo-  By  Lemma  8j  if  we  have  xc,  0  h  p  :  xo,  we  can  write  xc,  Xf  1“  P  '■  Xo 
for  any  xf  as  xf  2  0-  □ 


D.2  Substitutions  and  its  Properties 

The  next  notion  necessary  to  understand  our  compliance  checking  algorithm  is  the  notion  of  sub¬ 
stitution.  A  substitution  can  be  viewed  as  a  finite  mapping  that  maps  free  variables  to  concrete 
values  in  the  domain  V.  More  formally,  we  define  a  substitution  (denoted  by  a)  to  be  a  finite 
mapping  from  variables  to  values  in  the  domain  V,  where  a(v )  is  in  the  domain  of  the  variable  v. 
Given  a  substitution  a,  dom(cr)  is  defined  as  follows:  dom(cr)  =  {x  \  a(x)  /  x}.  We  use  £  (possibly 
with  subscript  or  superscript)  to  denote  a  set  of  substitutions.  We  use  •  to  represent  the  identity 
substitution  and  crj_  to  represent  an  invalid  substitution. 

We  now  define  what  it  means  for  a  substitution  a\  to  extend  a2  (denoted  o\  >  02).  We  also 
define  how  to  apply  a  substitution  a  to  a  formula  p  with  free  variables. 

Definition  3  (Extension  of  Substitution).  Given  two  substitutions  a  and  a' ,  we  say  a'  extends  a, 
denoted  by  a'  >  a,  if  the  following  holds:  dom(cr')  D  dom(cr)  and  Vx  G  dom(a).(a(x)  =  a'{x)). 

Definition  4  (Substitution  Application).  The  application  of  a  substitution  a  to  a  formula  p, 
denoted  p>o ,  is  recursively  defined  by 


pa  =  < 


T 

V9  =  T 

T 

P  =  F 

p(cr(fi), . .  .,a(tn)) 

(f  =  p(fl,  ...,tn) 

(‘ P w)  V  (p2a) 

P  =  (pi  V  p2 

(<Picr)  A  (p2a) 

P  =  (pi  A  p2 

3x.p[a  \  {x}] 

ip  =  3x.p 

Vx.(ipi[cr  \  {x}]  ->•  p2[a 

\MD 

P  =  Mxfpi  p2) 

p  =  pi  S  [ctd]P2 

{p\(r)U  ^{p2a) 

P  =  Pi  U  [c,d]P2 

<6>[c,d]  {pa)  1  QmM  1 

Q[c,d](pcr) 

V  =  $>[c,d\V  1  B[c,d]P 

0[c,d](^)  1  DmM  1 

O  [c,d](pcr) 

V  =  0{c,d\P  1  □MV’ 

'MV 


where  a  is  extended  such  that  a(e)  =  e  for  any  e  not  a  variable  or  in  the  domain  of  a. 

We  now  introduce  the  readers  with  some  notations  we  use.  Given  a  substitution  cr,  we  use 
a  f  S  to  denote  a  new  substitution  which  is  same  as  a  except  all  the  variable,  value  mappings  for 
variables  not  in  set  S  are  removed  in  the  new  substitution.  Let  a'  =  a  f  S,  then  the  following 
holds:  donned)  C  dom(cr),  Vx  G  S.(a(x )  =  a'(x)),  and  Vx  G  dom(cr).(x  fL  S  — >  (a'(x)  =  x)).  We 
now  generalize  the  above  operation  for  a  set  of  substitutions.  Consider  £7  is  a  set  of  substitutions 
and  £  =  £'  f  S.  We  define  £  =  £'  j,  S  in  the  following  way,  Vu  G  £'.(£  £  U  {a  f  5}). 
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We  use  a\S  to  denote  a  new  substitution  which  is  same  as  a  except  the  variable,  value  mappings 
for  variables  in  set  S  are  removed.  More  precisely,  consider  a'  =  a  \  S,  then  dom(cr/)  C  dom(cx), 
Vx  £  dom(cx).(x  0  S  — >  (cx(x)  =  cx'(x))),  and  Vx  £  dom(cx).(x  £  S  — >  (a'(x)  =  x))  holds.  We  now 
generalize  the  above  operation  for  a  set  of  substitutions.  Consider  S'  is  a  set  of  substitutions  and 
E  =  E '  \  S.  We  define  E  =  S'  \  S  in  the  following  way,  Vex  £  E'.(E  £-  E  U  {cx  \  5}).  Given  a 
substitution  a,  we  use  a[x  i-A  t\  to  denote  a  new  substitution  which  is  same  as  a  except  the  variable 
x  is  now  mapped  to  the  new  value  t  according  to  the  new  substitution.  We  now  generalize  the 
above  operation  for  a  set  of  substitutions.  Consider  E'  is  a  set  of  substitutions  and  E  =  S' [x  >-)•  t] . 
We  define  E  =  E'[x  i-A  t]  in  the  following  way,  Vex  £  E'.(E  £  EU  {cx[x  t]}). 

Given  two  substitutions  a\  and  cx2  such  that  dom(cxi)  n  dom(<72)  =  {},  we  use  <j\  +  0-2  to  denote 
the  concatenation  of  the  variable,  value  mappings  of  both  and  02  ■  Consider  a  =  a\  +  02,  then 
the  following  holds:  Vx  £  dom(cx).((x  £  dom(eri)  — >  <t(x)  =  <7i(x)))  A  (x  £  dom(er2)  -A  cr(x)  = 
02(x)))).  We  also  have:  a  +  •  =  cr  and  cr  +  a±  =  a j_.  If  dom(cri)  n  dom(cJ2)  7^  {},  then  the 
substitution  o\  for  variables  in  dom(cr1)  n  dom(cr2)  is  overridden  by  the  substitution  02  for  variables 
in  dom(cri)  (~l  dom(cr2). 

Given  two  substitutions  cr\  and  1X2,  we  use  o\  x  112  to  denote  a  new  substitution  which  is  the 
join  of  the  two  substitutions  cxi  and  cr2.  Let  a  =  a\  ex  cr2,  cr  is  cxj_  when  the  following  holds: 
3x  £  (dom(cx1)  n  dom(cx2)).(cxi(x)  /  02(x)).  When  a  /  {}  then  the  following  holds:  dom(cx)  = 
dom(fXi)Udom(cx2)  and  Vx  £  dom(cx).(((x  £  dom(cxi)Ax  0  S)  — >  cx(x)  =  cxi(x))A((x  £  dom(cx2)Ax  0 
S )  — >  a(x)  =  cx2(x))  A  (x  £  S  — >  (cr(x)  =  cxi(x)  =  cr2(x))))  where  S  =  dom(cxi)  H  dom(cx2).  We 
consider  the  x  operation  to  be  symmetric,  that  is  cxi  x  02  =  1x2  x  <xi.  We  also  assume  it  is 
possible  to  calculate  the  join  operation  of  two  finite  substitutions  in  some  finite  amount  of  time. 
We  also  have  the  following:  a  X  •  =  a  and  a  X  crj_  =  crj_.  We  use  tXlo<fc<j  crfc  to  represent 
exo  X  cxi  X  . . .  (Jj-i  X  (jj.  We  write  tx]<xfc  when  the  domain  of  k  is  understood  from  the  context. 

As  the  necessary  notations  have  been  introduced,  we  now  discuss  some  obvious  properties  of 
substitutions. 

Lemma  10  (Basic  Substitution  Properties).  Let  a  and  a 1  be  arbitrary  substitutions  such  that 
dom(a)  n  dom(a')  =  0,  and  let  ip  be  any  formula.  Then 

1.  if  dom(cr)  n  fv(p)  =  0,  then  pa  =  p, 

2.  f  v(pa)  =  fv(p)  \  dom(a), 

3.  p(a  +  a')  =  (pa)a'  =  (pa')a, 

4-  if  dom(a)  D  fv(p),  then  fv(pa)  =  0, 

5.  if  dom(a)  D  fv{p),  then  pa  =  p(a  +  ex') 

6.  pa  =  p(a  |  fv{p)). 

Proof.  The  first  three  are  by  induction  on  the  structure  of  p.  4  follows  from  2.  5  follows  from  3,  4 
and  1.  6  follows  from  3  and  1.  □ 

Lemma  11  (Substitution  -  fv  Restriction  and  Extension).  Let  a  and  a1  be  substitutions  and  p  a 
formula  such  that  dom(a)  n  dom(a')  =  0  and  dom(a')  n  fv(p)  =  0.  Then  for  all  C,  j,  r)  it  holds 
that  C,j,r]  |=  p(a  |  fv(p))  C,j,rj\=pa  «=>-  C,  j,rj  \=  p(a  +  a') . 
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Proof.  By  Lemma 
true. 


10 


we  have  p(o  f  fv(p))  =  po  =  p(o  +  o').  Thus  the  statement  is  trivially 

□ 


Corollary  1  (fv  Substitution).  Let  a  be  a  substitution  and  ip  a  formula,  with  dom  (a)  D  fv(p). 
Then  for  all  C,  j,  rj  and  o'  >  o  it  holds  that  C,j,r]  (=  ipo  <*=>  C,j,rf  \=  ipa' . 

Proof.  Let  a"  =  o  f  fv(p).  Then  C,j,r]  \=  ipo"  C.j,  rj  \=  ipo  and  C,j,rj  (=  ipo" 

C,  j,  r]  |=  ipo'  by  previous  lemma.  Thus,  C,j,  r/  |=  po  <=>  £,  j,  rj  |=  po' .  □ 


D.3  precis  State  (II) 

We  now  introduce  the  readers  with  the  persistent  state  our  algorithm  precis  uses  to  store  the 
appropriate  summary  structures  for  each  of  the  B- formulas.  We  denote  the  state  with  ^ r. 

A  state  7T  is  a  tuple  of  form  (A,  idx)  where  A  has  the  type  Formula  — >  N  — >  (§s  +§<>  +Sg  +§q) 
whereas  idx  has  the  type  N.  For  a  given  ir,  we  access  the  A  component  of  it  as  ir.A  whereas  we 
access  the  idx  component  of  it  using  the  notation  tt .idx.  For  any  given  ir  =  (A,  idx )  we  require  that 
the  A  component  of  n  be  well-formed  such  that  for  a  given  i  E  N,  Q. MV  B-formula  formulas  of 
form:  (1)  a<Si|3  are  mapped  to  §5,  (2)  <©i<^  are  mapped  to  §^>,  (3)  E\\P  are  mapped  to  §□,  and 
(4)  ©i</3  are  mapped  to  §q. 

We  now  describe  the  types  of  §5  ,  §^>,  SE,  and  Sq.  S5  is  a  tuple  (SQ,  S^,  M)  in  which  Sa  and  §g 
are  structures  containing  pairs  of  form  (o,  k)  where  a  is  a  substitution  and  k  E  N.  M  is  a  structure 
containing  a  set  of  substitutions.  For  a  given  state  7 r  =  (A,  idx)  (where  A  is  well-formed)  and  a 
Q MV  formula  p  of  form  a  S  i/3,  we  can  access  p's  structure  Sa  at  a  specific  position  i  G  N  using  the 
following  notation:  7r.*4.(a!5  i/3)(i).E>a.  For  a  given  state  7r  =  (A,  idx)  (where  A  is  well-formed)  and 
a  QMV  formula  p  of  form  aS  i/3,  to  specify  that  a  specific  (o,  k)  is  present  in  the  structure  of 
p  at  position  i  e  N,  we  use  the  notation  (o,k)  E  7r.A(<^)(i).Sia.  When  the  state  (7 r  =  (A, idx))  and 
the  formula  (p  =  aS\f5)  is  understood  from  the  context,  we  just  write  to  express  7r.^4(</?)(i).Sa. 
We  follow  these  same  notations  for  other  structures  too. 

is  a  tuple  (P,  M)  where  P  has  the  same  type  as  Sa.  In  the  same  vein,  §□  is  a  tuple  (H,  M)  where 
H  is  a  structure  containing  tuples  of  form  (<r,  left ,  right)  where  er  is  a  substitution  and  left,  right  E  N. 
Sq  is  a  tuple  (T,  M)  where  T  has  the  same  type  as  M. 

Next  we  introduce  the  readers  with  what  we  mean  by  a  well-formed  state  and  define  two  proper¬ 
ties  ( weak  consistency  and  strong  consistency)  of  a  well- formed  state  which  we  use  in  the  correctness 
lemma  later.  However,  first  we  define  what  we  mean  by  buildable  strict  temporal  subformidas  of  a 
given  formula  p.  We  use  the  concept  of  buildable  strict  temporal  subformulas  of  a  given  formula  p 
while  defining  weak  and  strong  consistency  of  a  well- formed  state. 

Definition  5  (Buildable  Strict  Temporal  Sub- formula).  Given  a  formula  p,  the  set  of  build¬ 
able  strict  temporal  sub-formulas  of  p  is  denoted  by  b-s-tsub(^)  and  is  defined  as  b-s-tsub(y?)  = 
b-tsub((^)  \  {p}. 

We  now  define  what  it  means  for  a  state  7r  to  be  well-formed  at  a  specific  position  j  E  N  with 
respect  to  a  log  £  and  a  formula  p  where  B  E  label(p). 

Definition  6  (Well-formed  State,  T).  Given  a  state  ir  =  (A, idx)  (where  idx  E  N  and  ir.A  is 
well-formed) ,  we  say  it  is  well-formed  at  j  €  N  (where  j  <  idx)  with  respect  to  a  log  C,  time  stamp 
sequence  r,  and  a  formida  p  of  form  aSi/3,  <©ia,  Eh  a,  or  ©ia  where  0  \~b  P  ■  X.O  such  that 
Xo  Q  fv(p)>  denoted  by  ^(£,  r,  7r,  p,  j),  if  all  of  the  following  hold: 
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b-tsub(y?) 


0  if  p 

b-tsub(y?i)  U  b-tsub((^2)  if  p 

{p}  U  b-tsub(a)  U  b-tsub(/3)  \{  p 

b-tsub(a)  U  b-tsub(/3)  if  p 

<  b-tsub(yji)  U  b-tsub(<^2)  if  P 

b-tsub(y?)  if  (p 

b-tsub(y?)  U  {p}  if  p 

b-tsub(y?)  if  p 

b-tsub(y?)  if  p 


=  T| _L| p(ti , . . .  ,tn) 

=  Pi  V  pi  |  p\  A  pi  |  pi  IA  \pi 
=  aS\(3  and  B  E  label (p) 

=  aSi/3  and  B  0  label(p) 

=  Vx.(pi  ->  pi) 

=  3x.p 

=  ©>i p  |  E\ip  |  Qip  and  B  E  label(p) 
=  Oi p  |  Bn</J  |  Qip  and  B  ^  label(p) 
=  Oi<£  |  Uip  |  Oi¥> 


Figure  12:  Function  definition:  b-tsub(<p) 


•  p  =  aS  [Cj(i]/3,  0  I ~b  /3  ■  Xi;  and  Xi  ^~b  ol  '■  X2  implies  that: 

1.  (SOUNDNESS-n.A(j){p)Sa) 

V(cr,  k)  E  7T ,A(p)(j) 3a,  7? ,dom{a)  D  (xi  U  X2)  A  (Vcr7,  l.{k  <  l  <  j)  A  a1  >  a  C,T,l,r]  |= 
crcr7). 

2.  (COMPLETENESS-!:. A{p){j)3a) 

Vcr,  A:,  073, 7/.(fc  <  j)  A  (073,  fc)  E  7r.  .4,(73)  (7). S/3  A  cr  >  073  A  dom(a )  D  (xi  U  X2)  A  V7.(A  +  1  < 
l  <  j)  A  £,  r,  /,  77  |=  acr  — l  3cr7,  771. cr  >  a’  A  m  <  (k  +  1)  A  (a',  m)  E  7r.^l(</3)(j).Sa. 

3.  (SOUNDNESS-tt.A(p) (j )  .S/3  j 

V(cr,  k)  E  tt.VI^^.S^,  r/.dom{a )  D  xi  A  77  —  r&  <  d  A  Vcr' .(A  >  a  — >•  £,  r,  fe,  7/  |=  /5cr') . 

4.  (COMPLETENESS-!:. A{p){j). S^j 

Vcr,  k ,  rj.dom(a)  D  fv((3 )  A  77  —  <  d  A  £,  r,  A,  r]  \=  /3a  -A  (3(cr7,  fc)  E  7r.„4.(</?)(j).S/3.  cr  > 

ct'). 

5.  (SOUNDNESS^:. A(tp)(J)M.) 

Vex  E  7T.^4(^)(j).M,  r/.dom(a )  D  xo  A  Vcr7.(cr7  >  a  — >  £,  r,  j,  7/  |=  ^pcr7) . 

6'.  (COMPLETENESS-n.A(ip)(j)M) 

Vcr,  r/.dom{a)  D  fv(p )  A  £,  r,  j,  r/  \=  pa  — >  {3a'  E  7T.Vl(<^)(j).M.  cr  >  cr7). 

•  p  =  ©[C!rf]a  implies  that: 

1.  (SOUNDNESS-!:. A{p){j).T) 

Vcr  E  7T.^4(^)(j).T, r/.dom{a)  D  xo  A  Vcr7.(cr7  >  cr  — >•  £,777,77  |=  acr7). 

2.  ^COMPiPrPArP55-7r.^(^)(j).T; 

Vcr,  rj.dom(a)  D  fv{a )  A  £,  r,  j,  r/  \=  aa  -A  {3a'  E  7r.Vl(</?)(j).T.cr  >  a7). 

5.  (SOUNDNESS^.  A(tp){j)M.) 

Vcr  E  7r._4(</3)(j).M,  rj.dom{a)  D  xo  A  Vcr7.(cr7  >  cr  — >  C,T,j,  rj  \=  pa'). 

4.  (COMPLETENESS-!:. A{p){j)M) 

Vcr,  rj.dom{a)  D  fv(p)  A  £,  r,  j,  7/  J=  </3cr  ->  (3cr7  E  7r.Vl(</3)(j).M.c7  >  cr7). 

•  p  =  <£>  [C)Cq  a  implies  that: 
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1.  (SOUNDNESS-^. A{(p){j). F) 

V(cr,k}  E  ir.A(ip)(j).F,r].dom(cr)  D  XO  A  Tj  —  Tk  <  d  A  Ma' .{a'  >  a  — >  C,  r,  A:,  rj  \=  aa'). 

2.  (COMPLETENESS-^. A(<p)(j).F) 

\/a,k,rj.dom{a)  D  fv(a)/\Tj  —  Tk  <  dAC,r,k,g  |=  olo  — >  (3{a',k)  E  7r..A(</?)(j).P.cr  >  c'). 

5.  (SOUNDNESS^. A(tp){j)M.) 

Vcr  E  7r.Vl(<£>)  (j).M,  r).dom(a)  3  xo  A  Vcr'.(cr'  >  a  ^  £,t,  j,rj  |=  </?cr'). 

fCOMPZPPPWP5S-^.Vl(</?)(j).Mj 

Vcr,  rj.dom(a )  D  fv((p)  A  £,  r,  j,  rj  \=  (pa  — >  (3a'  E  7r.^(y))(j).M.cr  >  cr'). 

•  p>  =  B[ci(i]a  implies  that: 

1.  (SO  UNDNESS-tt.A(p) O')  .H ) 

\/ (a, left, right)  E  7T.^I(^)(j).H,  rj.dom(a)  D  Xo^j— bright  <  dAMa'  ,1  E  [left,  right]. (a1  > 
a  -A  C,r,l,rj  |=  ckj'). 

2.  fcoMPXPPPWP5S-^.vl(</?)(j).H; 

Vcr,  L,  P,  g.dom(a)  D  fv(a)  A  (L  <  R  <  j)  A  (tj  —  tr<  d)A(\/t.(L  <  t  <  R)  —>  C,r,t,g  \= 
aa)  -A  3a' ,  left,  right,  (a  >  a')  A  left  <  L  <  R  <  right  <  j  A  (a' ,  left,  right)  E 
Tr.A(tp)(j)M. 

3.  (SOUNDNESS-n.A((p){j)M) 

Vcr  E  n.A((p)(j)M,r].dom(a)  3>  xo  A  Vcr7. (a7  >  a  — >  C,T,j,ij  |=  </?cr'). 

fCOMPPPTPiVPPS-7r.^(^)(j).R,) 

Vcr,  r).dom(a )  fv(<p)  A  C,  T,j,  rj  J=  <^cr  ->  (3cV  E  7T.Vl(<^)(j).M.c7  >  cr'). 

As  we  have  already  introduced  what  it  means  for  a  state  to  be  well-formed,  we  now  formally 
define  two  properties  of  a  well-formed  state,  which  we  use  in  the  statement  of  the  subsequent 
correctness  lemmas,  based  on  the  definition  of  a  well-formed  state  \k.  Moreover,  from  now  on, 
when  we  mention  a  state  we  mean  a  well-formed  state  unless  explicitly  mentioned  otherwise. 

Definition  7  (Strong  Consistency).  A  state  it  =  ( A,idx )  (where  idx  E  N )  is  strongly  consistent 
at  j  &  Z  (where  j  <  idx)  with  respect  to  a  log  C,  a  time  stamp  sequence  r  ,  and  a  formula  (p  if:  (1) 
j  <  0  or  (2)  for  all  <p>  E  b-tsub(^)  and  for  all  0  <  k  <  j,  '5(£,  r,  7 r,  (p,  k)  holds. 

Definition  8  (Weak  Consistency).  A  state  i r  =  (A,  idx)  (where  idx  E  N )  is  weakly  consistent  at 
j  E  Z  (where  j  <  idx)  with  respect  to  a  log  C,  a  time  stamp  sequence  t,  and  a  formula  (p  if:  (1) 
j  <  0  or  (2)  7T  is  a  strongly  consistent  state  at  j  —  1  with  respect  to  L  and  ip,  and  additionally  for 
all  (p  E  b-s-tsub(^),  ^f(C,T,TT,<p,j)  holds. 

We  now  define  the  size  of  a  state  with  respect  to  a  temporal  B-formula  <p  and  a  position  j  E  Z. 
The  size  of  a  state  at  a  position  j  with  respect  to  a  B-formula  <p ,  a  log  C,  and  a  time  stamp 
sequence  r,  is  the  summation  of  summary  structure  size  of  <p  at  all  position  k  where  0  <  k  <  j. 
The  finiteness  of  the  state  with  respect  to  all  B-formula  of  a  given  policy  (p  we  enable  us  to  show 
the  termination  of  our  algorithm. 

Definition  9  (Size  of  a  state  with  respect  to  a  buildable  temporal  formula).  Given  a  log  £,  a  time 
stamp  sequence  t,  a  formula  (p  of  form  aS\(3,  Oia,  E\ia,  or  ©in  such  that  0  V b  T  •  XO  where 
XO  C  fv{ip),  a  state  it  =  ( A,i )  where  i  E  N,  a  position  j  E  Z  such  that  j  <  i  and  i r  is  strongly 
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consistent  at  j  with  respect  to  C,  t,  and  <p,  then  the  size  of  n  at  j  with  respect  to  ip,  denoted  by 
Y(7 v,j,ip),  is  defined  as  follows: 


0  if  j  <  0 

(|7T.^l((^)(fe).SQ|  +  |7T.^l(99)(A:).§ia|  +  |7T.^l((^)(fc).M|)  if  ip  =  a  S  ifi 

0  <k<j 

^2  (|tt--4M(A;).F|  +  |7r.^4(<^)(fe).R|)  if  ip  =  0ia 

T(vr,  j,  ip)  =  o<k<j 

yy  (|7r.^(¥>)(fc).H|  +  |7t.^4(^)(/c).R|)  ifip  =  E\ia 

0  <k<j 

yy  (|7r.v4((/?)(/c).T|  +  |7r.^4((^)(A:).M|)  if  ip  =  Qja 

,0<k<j 


D.4  Correctness 

Now  that  we  have  established  all  the  necessary  notions  to  understand  the  correctness  of  our  algo¬ 
rithm  precis,  we  first  present  several  lemmas  describing  the  properties  of  the  different  functions 
our  algorithm  precis.  This  will  be  necessary  to  show  the  termination  and  correctness  of  precis. 

We  start  of  by  describing  the  property  of  the  sat  function.  Note  that  we  use  the  sat  function 
as  the  building  block  of  the  ips  function.  The  sat  function  satisfies  the  following  claim. 

Claim  1  (sat  function).  Given  a  log  C,  a  position  j  £  N,  a  time  stamp  sequence  t,  an  input 
substitution  Oin,  and  a  predicate  p(t)  such  that  for  all  k  £  7(p)  the  following  holds:  Vx  £  fv{tk).x  £ 
dom(a-m),  then  sat(jC,,j,T,p(i),crm )  terminates  and  returns  the  finite  set  of  all  substitutions  Tiout 
for  variables  in  Ufce/(p)  fv{tk)  U  Uieo(p)  u  dom{ain),  where  for  all  a  £  T,out  and  g,  a  >  crin 

and  |=  p(i)<7  hold. 

We  now  present  a  lemma  about  the  ips  function  which  states  that  all  the  substitutions  returned 
by  the  ips  function  is  actually  an  extension  of  the  input  substitution  <7,;n  that  the  ips  function 
takes  as  an  argument.  It  can  be  shown  that  the  semantics  of  QAiV  formulas  and  properties  of  it 
are  invariant  under  renaming  quantified  variables. 

Lemma  12  (ips  is  Extension).  For  all  formulas  <p,  for  all  j  £  N,  for  all  logs  C,  for  all  time  stamp 
sequences  t,  for  all  states  it  =  (A,i)  where  i  £  N,  for  all  substitutions  ain,  for  any  xc  and  Xf, 
such  that:  (1)  xc,Xf  h  F  :  Xo,  (2)  i  >  j  and  n  -  tj  >  A  (ip),  (3)  dom(ain )  D  xc  U  xf,  (4)  f 
is  strongly  consistent  at  i  with  respect  to  ip,  r,  and  C,  if  ips(C,jiTi7T,o'in,<p)  =  Tjout,  then  for  all 
a  £  EOUi  it  holds  that  a  >  a in. 

Proof.  The  proof  proceeds  by  doing  an  induction  on  the  structure  of  p>.  We  show  select  cases  and 
the  other  cases  are  similar. 

Case  p  =  T. 

Then  Pioui  —  so  Cin  '  .  cr^n. 

Case  ip  =  T. 

Since  Yiout  =  0,  the  statement  is  vacuously  true. 

Case  ip  =  p(fi, . .  .,tn). 

Then  £ out  =  sat  (C,j,  r,  p(ii,  ...,tn),  Om),  and  by  Claim[T]we  have,  Vcr  £  sat(£,  j,  r,  p(t±, . . . ,  tn),  crin).cr  > 
Gin* 
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Case  ip  =  ip\  V  (f2- 

ThenSottt  =  ips(£,  j,  r,  tt,  ain,  <£i)Uips(£,  j,  t,  tt,  ain,  <p2).  W.l.o.g.,  a  G  ips(£,  j,T,TT,ain,(pi). 
Inspection  of  the  applicable  mode  checking  judgements  verifies  that  the  inductive  hypothesis 
is  applicable,  which  yields  that  a  >  Oin. 

Case  ip  =  A  p>2- 

Then  Y>out  =  Uaceips(£j, ips(C,j,  t,  tt,  ac,  <p2).  If  a  €  S out ,  then  there  exists  ac  G 
ips  (C,j  ,  t,  tt,  ain,  <£i)  such  that  o’  £  ips {C,  j,  r,  7r,  crc,  ip2) •  Inspection  of  the  applicable  mode 
checking  judgements  verifies  that  the  inductive  hypothesis  is  applicable,  which  first  yields  that 
ac  >  ain,  and  then  a  >  ac.  By  transitivity  of  >,  we  have  a  >  cjjn. 

Case  ip  =  3x.<p. 

W.l.o.g.,  we  have  dom(cr,,;n)  n  x  =  0  as  we  can  rename  x  to  some  fresh  y.  Then  T,out  = 
ips  (C,i,  r,  n,  ain,  v)  \  {T}-  Then  there  exists  a'  G  ips(X,  i,  t,  n,  ain,  ip)  such  that  a  =  a'  \  {x}. 
By  inductive  hypothesis,  a'  >  ain  from  which  we  have  a'  \  {x}  >  a in  \  {x}.  As  a  =  a'  \  {x}, 
we  now  have  a  >  ain  \  {x}  and  as  dom(crjra)  n  x  =  0,  we  have  <7jn  \  {x}  =  am.  Then  a  >  ain. 

Case  ip  =  Vx.(</?i  ip2). 

If  Tiout  =  {},  then  the  statement  vacuously  holds.  Else  Eoui  =  {ain},  so  ain  <  a{n. 

Case  ip  =  ipiS  [C)d](p2- 


Sub- Case  B  G  label(ip). 

Then  Tiout  =  &in  1x1  ir.A{ip\  S  <^2) so  by  xi  properties  Vcr  G  T,out.a  >  ain. 

Sub-Case  B  0  lcibel(ip). 

Then  a  G  5'r,  or  a  G  Sr2. 

Sub-Sub-Case  a  G  S'/?, . 

Then  {a,  j)  G  <S^2,  so  a  G  ips(£,  j,  r,  tt,  ain,  ip2)-  By  inductive  hypothesis,  a  >  ain. 

Sub-Sub-Case  a  G  Sr2. 

Then  a  G  SVl  =  {txloj  /  a±\3(ap,k)  G  SV2.k  <  j  A  VZ.(fc  <  l  <  j  — »•  a[  G 
ips(£J,  r,  tt,  ap,  <y?i))}.  Then  cr  =  IXIcrji  for  some  <7;  with  a  certain  k,  so  Ml.k  <  l  < 
j  — >  a  >  a)  by  xi  properties.  By  inductive  hypothesis,  Vl.k  <  l  <  j  — >  a[>  ap,  thus 
a  >  a p.  Since  ( ap,k )  G  SV2,  ap  G  ips(£,  k,  r,  n,  ain,  ip2)-  By  inductive  hypothesis, 
up  >  ain ■  By  transitivity,  a  >  am. 

Case  ip  =  ipiU  [Ctd](p2. 

Then  a  G  Sr,  or  a  G  Sr2  . 

Sub-Case  a  G  5V<,  ■ 

Then  (cr,  j)  G  so  a  G  ips(£,  j,  r,  n,  ain,  <p2)-  By  inductive  hypothesis,  a  >  a *ra. 
Sub-Case  <7  G  Sr2. 

Then  a  G  =  {txlcr"  /  er_i_|zl(crg,  fc)  G  SV2.k  /  zAV(i  <  l  <  k).a f  G  ips(£,  l,  r,  7r,  ap,  a)}. 
Then  cr  =  t X\a[  for  some  a[  with  a  certain  k,  so  V/.j  <  /  <  /c  — >  <7  >  c^'  by  ix  properties. 
By  inductive  hypothesis,  V7.j  <  l  <  k  a[  >  ap,  thus  cr  >  ap.  Since  (ap,k)  G  S,p2 , 
a p  G  ±ps(C,  k,T,TT,  a^,  ^2)-  By  inductive  hypothesis,  ap  >  ain.  By  transitivity,  a  >  ain. 
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Lemma  13  (Upper  Bound  of  Substitutions  returned  by  ips  and  Stored  in  the  State).  1.  For  all 
QMV  formulas  p  either  of  form  p\  S  \p2,  Qi<P,  C\iP,  or  QiP,  such  that  {}  \~b  P  ■  Xo,  for  all 
logs  C,  for  all  time  stamp  sequences  r.  for  a  specific  i  6  N,  for  all  states  n  =  (A,  i)  where  n  is 
strongly  consistent  at  i  with  respect  to  C,  t,  and  p,  V<r(< r  G  7r.M((/?)(i).M  — >•  dom  (cr)  C  fv(p)). 

2.  For  all  QMV  formulas  ip,  for  all  j  G  N,  for  all  logs  C,  for  all  time  stamp  sequences  r,  for 
all  empty  environments  rj o  for  all  state  ir  =  (A,  i)  where  i  G  N,  for  all  substitutions  Oin,  for 
some  given  xc  and  xf,  such  that:  (1)  xc,Xf  b  P  '■  XO ,  (%)  i  >  j  and  Ti  —  Tj  >  A  {ip), 
(3)  dom{(Jin )  D  xc  U  xf,  (4)  71  is  strongly  consistent  at  i  with  respect  to  ip,  t,  and  C,  if 
ips(C,j,  t,  7 r,  (Tin,  <p)  =  s out  then  Vo(cr  G  Eout  ->  dom(cr)  C  dom(ain )  U  fv((p)). 

Proof.  The  proof  is  straightforward  by  structural  induction  on  the  policy  ip  and  by  using  the 
construction  of  ips  and  uSS.  □ 

Lemma  14  (Correctness  of  uSS  and  ips  function).  1.  For  all  QA4V  formulas  ip  either  of  form 
ipiSjip2,  <^i ip,  E\iip,  or  0i ip,  such  that  {}  b b  P>  '■  XO,  for  all  logs  C,  for  all  time  stamp 
sequences  r,  for  a  specific  i  £  N,  for  all  states  f  =  (A,  i)  where  f  is  weakly  consistent  at  i 
with  respect  to  C,  t,  and  ip,  if  uSS(L,i,r,F,ip)  =  it  then  it  =  {A',i)  is  strongly  consistent  at 
i  with  respect  to  ip,  t,  and  L. 

2.  For  all  QMV  formulas  ip,  for  all  j  G  N;  for  all  logs  C,  for  all  time  stamp  sequences  r,  for 
all  empty  environments  rjo  for  all  state  it  =  (A,  i )  where  i  G  N;  for  all  substitutions  <Jin,  for 
some  given  xc  and  xf,  such  that:  (1)  xc,Xf  b  P>  '■  XO,  (%)  i  >  j  and  n  —  Tj  >  A  {ip), 
(3)  dom{(Jin )  D  xc  U  xf,  (4)  71  is  strongly  consistent  at  i  with  respect  to  ip,  t,  and  C,  if 
ips(C,j,T,7T,ain,ip)  =  U out  then  the  following  holds: 

(a)  (SOUNDNESS) 

Vcr  G  T,out.{dom{o)  D  (xo  U  XC  U  Xf)  A  Mo' .{a'  >  a  C,T,j,rj0  (=  ipa')). 

(b)  (COMPLETENESS) 

Vcr.((cr  >  a  in  A  dom(cr)  D  fv(<p)  A  C,T,j,r]0  |=  if.a)  (3cr  O  £  ^  CTo  )))• 

Proof.  We  first  show  the  proof  of  part  (1)  then  part  (2).  Note  that,  when  uSS  is  called  for  a 
B-formula  ip,  it  calls  ips  on  strict  subformulas  of  p.  However,  ips  does  not  call  uSS  directly 
and  hence  we  do  not  have  any  cyclic  dependency.  The  proof  does  a  mutual  induction  on  the 
structure  of  the  policy  <p. 

Proof  of  part  (1):  Mutual  induction  on  the  structure  of  p. 

We  are  given  that  the  state  7r  =  (A,  i)  is  weakly  consistent  at  trace  position  i  with  respect 
to  C,  t,  and  p.  We  then  have  to  show  that  the  state  ir  =  (A! ,i)  is  strongly  consistent  at  trace 
position  i  with  respect  to  C,  r,  and  p.  From  Definition  [7]  and  [8j  it  is  thus  sufficient  to  show  that 
7r  is  well-formed  at  i  with  respect  to  C,  r,  and  p.  In  other  words,  it  is  sufficient  to  show  that 
T (£,  r,  it,  p,  i)  holds. 

Case  p  =  ©  [C)d] a 

(Soundness) 


37 


Sub-Case  tt.A'  ((f)  (i). T 

We  have  to  show  that  Vcr  G  Tt.A'((p)(i).T,  r/.dom(cr)  D  xo  AVer',  (a'  >  a  — >  £,  r,  i,  77  |= 
cecr').  Take  any  arbitrary  cr  G  7r.^l/((^)(i).T.  From  construction  of  7r..A'(y>)(i).T  we  know 
that  7r.yl/(<^)(z).T  •(—  ips(£,  z,r, 

7r,  •,  a).  Hence,  cr  G  ips(£,  i,  r,  7r,  •,  a).  From  the  applicable  mode  checking  judgement, 
we  have  {}  Fb  Q[c,d]a  :  XO  where  xo  C  fv(a).  It  follows  that  {}  Fb  a  ■  XO-  By 
Lemma [Tj  we  have  {},{}  F  a  :  xo-  By  Lemma |4j  we  have  A(0[crfp)  =  0.  Moreover, 
dom(»)  D  xc  U  xf  where  xc  =  Xf  =  {}■  As  it  is  weakly  consistent  at  position  i  with 
respect  to  £,  r,  and  0rc>d]a,  we  know  that  it  is  strongly  consistent  at  position  i  with 
respect  to  £,  r,  and  a.  We  see  that  we  have  satisfied  all  the  premises  of  the  soundness  of 
ips(£,  i,  r,  7 r,  • ,  a).  By  i.h.,  we  have  Vcr  G  S0Uj.(dom(c7)  D  (xo^XC^Xf)  AVer'. (<7'  >  a  — > 
C,T,j,rj0  \=  (per'))  where  T,out  G-  ips(£,  i,  r,  tt,  m,  a).  We  have  xc  =  Xf  =  {},£  =  a, 
and  tt.A  =  £0^.  Hence,  we  have  Vcr  G  tt.A  ?y.doin((j)  D  XO  AVcx'.(cr'  > 

a  — >  £,  r,  i,  r)  (=  aF)  where  77  =  770- 
Sub-Case  7r.M/(<^)(i).M 

We  can  have  the  following  two  cases. 

Sub-Sub-Case  i  =  0 

By  construction  7r..4'(<£>)(7).M  =  0  hence  the  statement  is  vacuously  true. 

Sub-Sub-Case  i  >  0 

We  have  to  show  that  Vcr  G  Tt.A!{ip){i)M,  ?7.dom(cr)  D  xo  A Vcr'.  (ex'  >  a  — >  £,  r,  i,  r]  |= 
</%r').  Take  any  arbitrary  a  G  7r..A'(<£>)(z).M.  By  construction  7r.M/((/?)(z).M  =  {a  \ 
a  G  fr.A'((p)(i  —  1).T  A  (c  <  r,  —  To_  1)  <  d)}.  As  7r  is  weakly  consistent  at  i  with 
respect  to  £,  r,  and  (p,  from  the  definition,  we  can  say  that  it  is  strongly  consistent 
at  (i  —  1)  with  respect  to  £,  r,  and  a.  From  the  soundness  of  TT.A'{(p){i  —  1).T,  we 
have  a  G  tt.A!  —  1).T,  ?/.dom(cr)  D  xo  AVer',  (ex'  >  ex  — >•  £,  r,  z  —  1, 77  |=  cecr').  From 
the  semantics  of  0  we  have,  £,  r,  i,  77  |=  ©  rc^ a<r  i  >  0  A  £,  r,  i  —  1 , 77  |=  aa  A  c  < 
Tj  —  t (j_i)  <  d.  By  construction  we  have  (c  <  Tj  —  77j_i)  <  d)  and  from  7r.A/(<y9)(i  — 
1).T  soundness  and  semantics  of  0,  we  have  Vcr  G  7f.Vl'(v?)(7).M,  ?7.dom  (cr)  A  xo  A 
Vcr' .(V  >  cr  — >  £,  r,  i,  77  |=  </?ex'). 

(Completeness) 

Sub-Case  tt.A1  {(p){i).T 

We  have  to  show  that  Vcr,  77. dom(cr)  A  /77(a)  A£,  r,  £77  |=  acr  — >•  (3ex'  G  7r.M'(</?)(7).T.cr  > 
cr').  With  the  same  arguments  as  in  soundness,  we  can  show  that  we  satisfy  the  premise 
required  to  use  the  completeness  statement  for  ips.  From  completeness  of  ips,  we 
have:  Vex.((ex  >  ain  A  dom(cr)  D  fv((p)  A  £,r,  7,770  |=  tp.a)  — >■  (3cx0  G  £0<rf.(cx  >  aQ))) 
where  7t.A'(<p)(i).T  =  Having  77  =  770,  erin  =  •,</?  =  a  we  have,  Vex,  77.dom(er)  D 

/77(a)  A  £,  r,  £  77  |=  aex  — >•  (3ex'  G  7r.M'(<^)(7).T.cr  >  cr'). 

Sub-Case  7f.*4'(<^)(7).M 

We  can  have  the  following  two  cases. 

Sub-Sub-Case  i  =  0 

By  semantics  of  ©,  there  is  no  a  for  which  £,  r,  0,770  |=  ©rCiCqa  holds  hence  the 
statement  is  vacuously  true. 

Sub-Sub-Case  i  >  0 
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We  have  to  show  that  Vcr,  ?7.doin(cr)  D  fv(p)AC,  r,  i ,  r]  (=  pa  — >  {3a'  E  7r.Vl(<j9)  (i).M.cr  > 
cr7).  Take  any  arbitrary  a  such  that  dom(cr)  D  fv(p)  and  C,T,i,V  \=  pa.  From  the 
semantics  of  0  we  know,  £,  r,  i,  v  \=  Q\c,d]a(J  *  >  0  A  £,  r,  i  —  1,  r?  |=  cut  A  c  < 

Tj  —  77j_i)  <  d.  As  7r  is  weakly  consistent  at  i  with  respect  to  £,  r,  and  p,  from 
the  definition,  we  can  say  that  it  is  strongly  consistent  at  (i  —  1)  with  respect  to 
£ ,  r,  and  a.  From  completeness  of  Tr.A(p)(i  —  1).T,  we  know  that  there  exists 
aQ  E  TT.A(p)(i  —  1).T  such  that  cr  >  aQ.  From  c  <  Tj  —  Tfi-x)  <  d,  the  construction 
of  and  the  above  we  have  aQ  E  7r.„4/(<^)(i).M. 

Case  p  =  <£>  [C)rf]  ol 

(Soundness) 

Sub-Case  tx.A!  {p){i).^ 

We  have  to  show  that  \/(a,k)  E  7r._Al/ (<^) (z) .IP,  ?7.dom(cr)  D  xo  A  Tj  —  Tfc  <  ci  A  Vcr7. (ex'  > 
cr  — >•  C,T,k,rj  |=  acr7).  Take  any  arbitrary  (cr,  A:)  E  7T.Vl7(<j9)(*).P.  By  construction  of 
7r.A,7((^)(i).P,  we  have  (a,  k)  E  5a  or  (a,  k)  E  (ir-Vl7 (p)(i  —  1).P  \  Sr). 

Sub-Sub-Case  (cr,  k)  E  Sa 

By  construction,  Sa  •(—  {( a,i )  \  a  E  ips(£,  i,  r,  7r,  •,  a)  A  0  <  d}  and  k  =  i.  By 
checking  the  applicable  mode  checking  judgements,  by  Lemma [7[  by  Lemma  [4],  and 
from  the  premise,  we  see  that  the  premise  of  ips  soundness  is  satisfied.  By  i.h.  of 
ips  soundness,  we  have  (dom  0)  2  (xoUxcUxf)AVct7.(ct7  >  a  -A  C,T,i,rj0  \=  aa')). 
As  xc  =  Xf  =  {},  V  =  Vo ;  and  from  construction  we  have  Tj  —  t&  <  d,  hence  we 
have  dom(cr)  D  (xo)  and  Vcr7.(cr7  >  a  — >  £,  t,  k,  v  |=  acr7),  concluding  our  proof. 
Sub-Sub-Case  (a,  k)  E  (ir.A'(p)(i  —  1).P  \  Sr) 

By  construction,  ( cr,  A; )  E  n.A'(p)(i  —  1).P  and  Tj  —  Tk  <  d.  As  we  know  that  7r 
is  strongly  consistent  at  (i  —  1)  with  respect  to  £,  t,  and  7r,  from  soundness  of 
n.A' (p)(i  —  1).P,  we  have  dom(cr)  D  xo  A  T{i-i)  —Tk<  d  A  Vcr7.(cr7  >  cr  — >•  £,  t,  A,  r/  |= 
acr7).  From  construction  we  additionally  have  Tj  —  Tk  <  d.  Hence  we  conclude 
V(cr,  A)  E  7T\Vl7(</?)(i).P, r/.dom(cr)  D  XoATj-Tfc  <  d  AVct7.(ct7  >  cr  — >•  £,  t,  A,  r/  acr7). 
Sub-Case  7r.A7(<j9)(*).M 

We  have  to  show  that  Vcr  E  7r.Vl7((/?)(i).M,  ?7.doin(cr)  D  A  Vcr7.(cr7  >  cr  -»  £,  t,  i,  ry  |= 
(j9cr7).  Take  any  arbitrary  cr  E  7t.„4,7(</?)(?’).M.  From  construction  of  7r.*4.7(<j9)(i).M  we 
have  3k. (a,  k)  E  n.A'(p)(i).F  and  also  (Tj  —  T&  E  [c,  d]).  Hence  from  the  soundness  of 
7r .Al (<^)(i).P  we  have  dom(cr)  D  xo  A  Tj  —  tj,  <  d  A  Vcr7.(cr7  >  cr  — >-  £,  t,  Ar,  77  |=  acr7). 
From  the  semantics  of  <$>  ,  we  have  £,  t,  i,  77  1=  [c,d] a  3 A:  E  N.  A  <  i  A  £,  t,  A,  r/  |= 

a  A  (Tj  —  Tk  E  [c,  d]).  Thus  according  to  semantics,  from  the  soundness  of  t.A1  (p)^).1^ 
and  by  (Tj  —  Tk  E  [c,  d])  (from  construction),  we  have  dom(cr)  D  xo  and  Vcr7.(cr7  >  a  — > 
C,T,i,V  |=  pc') ,  concluding  our  proof. 

(Completeness) 

Sub-Case  7r.A7(<j3)(*).P 

We  have  to  show  that  Vcr,  k,  Ty.dom(cr)  D  /u(a)ATj—  Tk  <  ciA£,  t,  A:,  7/  |=  acr  — (3(cr7,  A:)  E 
7r.yl7(^)(i).P.cr  >  cr7).  Take  any  arbitrary  a  and  k  such  that  dom(cr)  D  fv(a),  Ti  —  Tk  <  d , 
and  £,  t,  A,  ?y  |=  acr.  We  can  have  the  following  two  cases: 

Sub-Sub-Case  k  =  i 
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In  the  same  vein  of  the  soundness  proof  of  if  .A'  (<^)(i).P ,  we  see  that  the  premise 
of  ips  completeness  is  satisfied.  From  ips  completeness  we  see  that,  3cr0  G 
ips(£,  i,  t,  7T,  •,a).(a  >  a0).  From  this,  r*  —  Tj  =  0  <  d,  and  a1  =  aQ ,  accord¬ 
ing  to  the  construction  of  if.^l/((^)(i).P,  a'  G  5a  and  in  turn  a'  G  7f..A,(<£)(*).P, 
completing  our  proof. 

Sub-Sub-Case  A;  <  z 

Note  that  we  are  given  that  ir  is  weakly  consistent  at  i  with  respect  to  C,  r,  and  ip. 
From  the  definition,  we  know  that  7r  is  strongly  consistent  at  (i  —  1)  with  respect 
to  C,  r,  and  a.  From  premise  we  know  that  C,  r,  k,  g  |=  aa  where  k  <  i.  From 
the  completeness  of  Tt.A'{<p){i  —  1).P,  we  have  the  following:  3(a',k)  G  Tt.A'{<p){i  — 
1)  .IP. (7  >  a'.  From  the  above  and  t%  —  <  d,  according  to  the  construction  of 

n.A'{ip)(i).'¥,  we  know  that  a'  G  {it.A!{<p){i  —  1).P\ Sr)  and  hence  a’  G  7t._4.'(^) (z) .IP, 
completing  our  proof. 

Sub-Case 

We  have  to  show  that  Vex,  7/.dom(er )  D  fv(<p)  AC,  r,  i,  g  \=  pa  -»  (3a'  G  7f..A/(<£)(z).M.<7  > 
a').  Take  any  arbitrary  a  such  that  dom(cj)  D  fv(p)  and  C,T,i,r)  \=  <§>\c,d]ac7-  From 
the  semantics  of  ■$>  we  have,  C,r,i,g  |=  0\c(naa  <^=t-  3k. k  <  i  A  c  <  Ti  —  r^< 
d  A  C,r,k,g  |=  aa.  As  fv(p)  =  fv(a),  n  —  t*,  <  d,  and  C,T,k,r]  (=  aa,  from  the 
completeness  of  it  .A' {p){i)i¥ ,  we  have  3(a',k)  G  f  .A*  {p)(i)i¥  .a  >  a'.  From  the  con¬ 
struction  of  Tt.A'(p)(i).M.,  we  know  that  a'  G  7f.A/((/?)(i).M. 

Case  (p  =  B[Ctd]a 

(Soundness) 

Sub-Case  it  .A!  {<p){i)  M. 

We  have  to  show  that  V {a,  left,  right)  G  7f.A/(^)(*).BI,  r/.dom(cr)  D  xo  A  Tj  —  Tright  < 
dAMa',j  G  [left,  right]. (a'  >  a  — >  C,r,j,g  \=  aa').  Take  any  arbitrary  (a,  left,  right) 
in  7f.A/(99)(i).BI  such  that  a  is  defined.  From  the  construction  of  it.A!  (pp){i)M.,  we  know 
that  Tj  —  rr  <  d.  Again  from  the  construction,  we  know  that  er,  left,  right)  G  T  where 
T  =  5'new  U  ^Up(]ate  ^  ^carry-over- 
Sub-Sub-Case  (a,  left,  right)  G  <Snew 

From  construction,  left  =  right  =  i  and  a  G  ips(£,  i,  r,  7r,  •,  a).  From  applicable 
mode  checking  judgements  we  see  that  ips  soundness  is  applicable.  From  ips 
soundness  we  know  that  dom(cr)  D  xc  U  XF  U  xo •  From  mode  judgement  we  also 
know  that  xc  =  XF  =  {}  and  hence  dom(cr)  D  xo-  From  ips  soundness  we  know 
that  \/a'.[a'  >  a  — >•  C,r,i,g  |=  aa').  From  this  we  can  say  that  Ma',j.{i  <  j  < 
i  A  a'  >  a  — »•  C,r,j,g  |=  aa’)  completing  our  proof. 

Sub-Sub-Case  (a,  left,  right)  G  Update 

From  construction  we  know  that  right  =  i  and  3a\,a2-(a  =  a\  x  a-2  A  a\  G 
ips(A*,  r,  7T,  «,a)  A  ( a2,left,i  —  1)  G  —  1).H).  From  applicable  mode 

checking  judgements  we  see  that  ips  soundness  is  applicable.  From  ips  soundness 
we  know  that  dom(cji)  A  xc  U  xf  U  xo  =  XO  as  xc  =  Xf  =  {}•  We  also  know 
that  Ma^fa)  >  a\  — >  C,T,i,r\  (=  aa).  Moreover,  (a,  left, i  —  1)  G  it.A'(p)(i  —  1).BI. 
We  know  that  it  is  weakly  consistent  at  i  with  respect  to  C,  r,  and  ip.  From  which 
we  know  that  it  is  strongly  consistent  at  i  —  1  with  respect  to  C,  r,  and  p.  From 
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H.A!(ip)(i  —  1).H  soundness  we  have  dom(cr2)  D  xo  A  \/a'2,  j.(left  <  j  <  i  —  1  f\a’2> 
cr2  C,r,j,g  |=  aa2). 

As  <7  is  defined  and  a  =  a i  X  a2,  dom(cr)  =  dom(cri  X  <72)  D  Xo ■  Moreover, 
a  >  a±  and  cr  >  ci2-  Thus,  combining  the  soundness  we  have  C.  r,  i,  77  |=  a<7  and 
\/j.{left  <  j  <  i  —  1  — >  C,  r,  j,  77  |=  acr).  Again  for  any  cr'  >  <7,  we  have  cr'  >  o'!  and 
a'  >  cr2  hence  completing  out  proof. 

Sub-Sub-Case  (a,  left,  right)  G  <Scarry-over 

From  construction  we  know  that  (a,  left,  right)  G  7T.M' (</?)(?■  —  1).H.  We  know  that 
7r  is  weakly  consistent  at  i  with  respect  to  C,  r,  and  ip.  From  which  we  know  that 
7 r  is  strongly  consistent  at  i  —  1  with  respect  to  £,  r,  and  ip.  From  it ,A'(p)(i  —  1).H 
soundness  we  have  dom(cr)  D  xo  AVer'  ,j.(left  <  j  <  right  A  a'  >  a  — >  C,  r,  j,  q  |= 
acr').  This  completes  our  proof. 

Sub-Case  7r.M'(<^)(i).M 

We  have  to  show  that  V<7  G  7r.M'(9?)(i).M,  ??.dom(cr)  D  xo  A  Vcr'.(cr'  >  cr  — >  C,r,i,g  |= 
yrej').  Take  any  arbitrary  cr  G  7r.M'(<^)(i).M.  From  semantics  C,T,i,r\  |=  (B[Cid]a)cr'  <^=^ 

3 j.(j  <  i  A  c  <  Ti  —  Tj  <  d,  C,r,j,  r/|=  acr').  Again  from  semantics  we  can  write, 

C,T,i,r\  j=  (B[c.fncr)cr'  Vj.(minPosition(r,  i,  c,  d)  /  — lAmaxPosition(r,  i,  c,  d)  / 

—  1  A  minPosition(r,  i,  c,  d)  <  j  <  maxPosition(r,  z,  c,  d)  <  i  — >  C,T,j,r\  |=  acr'). 

From  construction  of  a  G  7r.M'((/?)(i).M  implies  that  EIL,  i?.(minPosition(r,  i,  c,  d)  / 

—  lAmaxPosition(r,  i,  c,  d)  —  1AL  <  minPosition(r,  i,  c,  d)  <  maxPosition(r,  i,  c,  d)  < 

R  A  ( a,L,R )  G  it  .A!  (ip)(i)  M) .  From  soundness  of  T.A!(ip)(i)M  we  have  dom(cr)  D 

Xo,  Ti  ~  tR  <  d,  and  Vcr',j.(L  <j<RAa’>a  — >  C,T,j,g  |=  acr').  As  L  < 
minPosition(r,  i,  c,  d)  andmaxPosition(r,  z,  c,  d)  <  R,  we  can  write  Vcr',j.(minPosition(r,  *,c,  d) 

—  lAmaxPosition(r,  i,  c,  d)  ~-lAminPosition(r,  i,  c,  d)  <  j  <  minPosition(r,  i,  c,  d)  A 
cr'  >  cr  — >•  C,T,j,r)  |=  acr').  From  this  and  semantics,  we  have  our  desired  result  of 
C,r,i,g  |=  (B[C)d]a)cr'. 

(Completeness) 

Sub-Case  it  .A!  (p)(i)  M. 

We  have  to  show  that  \/a,  L,  R,i].dom(a)  D  fv(a)  A  (L  <  i?  <  i)  A  (r*  —  tr  <  d)  A 
(Vt.(L  <  t  <  R)  — >  C,r,t,g  |=  acr)  — »  3a' , left, right. (a  >  a')  A  left  <  L  <  R  < 
right  <i  A  (a1 , left, right)  G  if. A' (99)  (i). HI.  Take  any  arbitrary  cr,  L,  and  i?  such  that 
dom(cr)  D  fv(a),  L  <  R  <  i,  Ti  —  tr  <  d,  and  Vf  .(L  <  t  <  i?)  — >  C,  r,  f,  7/  |=  aa. 

Sub-Sub-Case  L  <  i,  R  =  i 

We  know:  Vf.(L  <  t  <  R  C,  r,  i,  r)  \=  aa).  We  can  rewrite  the  above  to  :  (a) 

Vt.(L  <  t  <  i  —  1  — >  C,  t,  t,  7]  |=  acr).  and  (b)  C,  r,  i,  g  |=  acr. 

From  (b)  we  see  that  ips  completeness  is  applicable.  From  ips  completeness  we 
have,  3a’2  G  ips(£,  i,  r,  ir,  #,  a). a  >  a2.  From  construction  a2  G  S. 

From  (a),  we  see  that  7r.M'(<£>)(i  —  1).H  completeness  is  applicable.  From  7r .A’(ip)(i  — 

1).H  completeness  we  have,  3L’ ,a'x.[a  >  a[  A  L'  <  L  <  (i  —  1)  A  ( a'1,L',i  —  1)  G 
it. A' (ip) (i  —  1).H.  We  know  a  >  a[  and  a  >  a2,  so  a\  x  a2  exists,  and  a  >  a[  x  a2. 

We  know  (a'1,L' ,i  —  1)  G  it.A'(p)(i  —  1).H,  a2  G  S,  and  a[  X  a2  /  crj_,  from 
construction  (a[  X  a2,L',i)  G  Update’  a^so  ^now  L'  <  L  <  R  <  i.  From 
premise  we  know  that  r*  —  tr  <  d  hence  (a\  x  a2,L',i )  not  in  ^remove  hence  in 
t  .A!  (ip)(i)  M.. 
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Sub-Sub-Case  L  =  R  =  i 

We  know  C,T,i,r\  |=  aa.  We  see  that  ips  completeness  is  applicable.  From  ips 
completeness  we  have,  3a'  G  ips(£,  i,  r,  tt,  #,  a).(a  >  a').  By  construction  a'  G  E. 

Case  decision  on:  \/(ai,l,i  —  1)  G  n.A'((p)(i  —  l).H.cr/  x  cri  /  o' ■ 

Sub- Sub- Sub- Case  True 

Then  (a',i,i)  £  <Snew,  so  (a',i,i)  £  7t.-4./(<jc) (i) .1HI,  as  U  —  U  <  d. 

Sub- Sub- Sub- Case  False 

Then  3(a2,l,i  —  1)  G  n.A'((p)(i  —  1).H  such  that  a'  x  <t2  =  a'.  Then  {a'  x 
<72,  l,  i)  =  ( a',l,i )  G  Sedate-  As  U  ~  U  <  d,  hence  ( a',l,i )  G  H.A!{(p)(i)M.. 

Sub-Sub-Case  L  <  i,  R  <  i 

Sub- Sub- Sub- Case  R  =  i  —  1 

From  premise  we  know  that  Vi.(L  <  t  <  R)  — >•  C,T,t,r\  |=  cx,a.  \/t.(L  <  t  < 
i  —  1)  — >  C,r,t,r]  |=  ota.  From  the  completeness  of  %.A!{<p){i  —  1).H,  we  have 
3a' ,  left,  right,  (left  <  L  <  R  <  right  <  (i  —  1)  A  <r  >  a'  A  {a' ,  left,  right)  G 
ii.A'(<p)(i  —  1).H).  We  also  know  that  n  —  tr  <  d  and  R  <  right.  Thus, 

Tl  ~  Tright  fs  d. 

Case  decision  on  Vui  G  T,.a\  x  a  A  o. 

Case:  True:  In  case  the  above  is  condition  is  true,  by  construction,  (a,  left,  right)  G 
Scarry-over  but  {a,  left,  right)  <£  ^remove-  Hence,  {a,  left,  right)  G  it  .A' {tp){i)  M. 
Case:  False:  In  case  the  above  is  condition  is  false,  it  means  there  exists  a 
<7i  G  E  such  that  cr  X  <7i  =  <7.  According  to  the  construction,  we  see  that 
(a,left,i)  G  S^pdate  and  —  t*  <  d  ensures  that  (a, left, i)  ^  Sremove>  hence 
(a,  left,  i)  G  it  .A\(p){i)M,  completing  our  proof. 

Sub- Sub- Sub- Case  R  <  i  —  1 

From  premise  we  know  that  Vf.(L  <  t  <  R)  — >  C,  r,  t,  g  |=  a<7.  Thus  it  implies 
that  \/t.(L  <  t  <  i  —  1)  A  C,r,t,  g  \=  aa.  From  the  completeness  of  it.A!{<p){i  — 
1).H,  we  have  3al ,  left,  right. (left  <  L  <  R  <  right  <  (i  —  1)  A  <7  >  a'  A 
(a' ,  left,  right)  G  it  .A'(<p)(i  —  1).H).  We  also  know  that  r*  —  tr  <  d  and  R  < 
right.  Thus,  r*  —  Tright  <  d.  By  construction,  (a' ,  left,  right)  G  *Scarry-over 
but  (a1 ,  left,  right)  ^  ^remove  and  hence  (a' ,  left,  right)  G  it  .A'  {(p)(i)M  which 
completes  our  proof. 

Sub-Case  7r.^l/ (<^o)  (i) -M 

We  have  to  show  that  Vcr,  ?/.dom(<7)  D  fv(ip)  A  C,  r,  i,  rj  |=  (pa  — >  (3a'  G  Tt.A(p>){i)M..a  > 
a').  Take  any  arbitrary  a  such  that  dom(er)  D  fv((p)  and  C,T,i,r)  |=  E\\c,d\oti 7.  Let 
nP  -f-  minPosition(r,  i,  c ,  d)  and  xP  G-  maxPosition(r,  i,  c,  d).  From  semantics  we 
have:  C,r,i,r\  |=  □  \c,d\&a  Vj.(j  <  i  A  (c  <  t*  —  Tj  <  d)  — >  C,r,j,g  |=  aa).  From 
this  we  can  also  write:  L,T,i,r\  |=  B  \c,d] a(J  V j.(nP  /  -1  A  xP  /  -1  A  (nP  <  j  < 
xP)  -G  C,r,j,i i  |=  aa).  From  definition  of  maxPosition,  we  have  r*  —  rxp  <  d.  We 
see  that  completeness  of  it.A!  ((p){i)M  is  applicable.  From  the  H.A!  {(p){i)M.  completeness 
we  know  that  3a',  left,  right. (a  >  a'  A  left  <  np  <  xP  <  right  <  i  A  (ex',  left,  right)  G 
7r.A/(v,)(*)-H)-  As  left  <  np  <  xP  <  right  <  i  and  (a' ,  left,  right)  G  7r.A/(v9)(i).HI, 
from  the  construction  of  7r.A/((/?)(i).M,  we  see  that  o’  G  7r.A/(^)(i).M,  hence  completing 
our  proof. 


Case  (p  =  aS^A 
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(Soundness) 

Sub-Case 

The  proof  is  exactly  like  the  soundness  proof  of  structure  it.A'  (p)(i).F  for  0[c,d\ a- 
Sub-Case  7r.^l/((^)(i).§Q 

We  have  to  show  that  V(cr,  k)  G  7r..A/(<£)(i).§a,  r].dom(a)  D  (xi  U  X2)  A  (\/a',l.(k  < 
l  <  i)  A  a’  >  a  — >  C,T,l,r]  |=  aa').  Take  any  arbitrary  (a,k)  G  7r.^l/(<^)(i).§Q,.  From 
construction  7r. A' (</?)()■) -§a  g-  <S'newU5UpCjate.  Thus,  (a,  k)  G  <Snew  or  (ai  &)  £  ^update- 
Sub-Sub-Case  (a,  k )  G  S'new 

By  construction  k  =  i  and  a  G  U  iPs(Ab  T,ir,ap,a).  From 

{vp,j)£i7.A'(‘p){i)Sp/\j¥zi 

premise  and  soundness  of  7r.^l/((/?)(i).§)g,  we  know  that  doir^er^)  D  xi-  Again 
from  investigating  the  applicable  mode  checking  judgements  and  soundness  of  ips, 
dom(cj)  D  xi  U  X2-  Again  from  soundness  of  ips,  we  additionally  know  that, 
Mal  .a'  >  a  ^  jC,T,i,V  |=  ota’ .  We  also  trivially  satisfy  that  VZ.i  <  l  <  i.  Hence,  we 
have  our  desired  conclusion  that  W,  l.(k  <  l  <  i)  A  a'  >  a  — >•  £,  r,  Z,  77  |=  aa' . 
Sub-Sub-Case  (a,  k)  G  Update 

By  construction  we  have  k  <  i.  By  construction  we  also  have  3cra,  cti-ct  =  aa  x  a\  A 
a  ^  c_l  A(c ra,  Zc)  G  l).§aAcri  G  U  ips  (A  i,  r,  7r,  ap,a). 

From  the  premise,  we  have  n  is  weakly  consistent  at  i  with  respect  to  £,  r,  and  p. 
From  definition  of  weak  consistency,  we  can  conclude  that  n  is  strongly  consistent 
at  (i  —  1)  with  respect  to  £,  r,  and  p.  From  soundness  of  it.A'(p)(i  —  1).SQ  we  have, 
dom(cra)  D  (xi  U  X2)  A  \/a" ,  l".(k  <  l"  <  (i  —  1)  A  a "  >  aa  — >  £,  r,  l,  7]  \=  aa").  Again 
from  investigating  the  applicable  mode  checking  judgements  and  soundness  of  ips, 
dom(cri)  D  xi  U  X2  and  Ma'" .{a'"  >  a\  — >•  £,  r,  l,rj  |=  aa"').  As  <7  =  aa  x  a\  and 
a  /  cr_i_,  dom((j)  =  dom((ja  xi  a\)  D  (xi  U  X2X  Combining  the  above  two  soundness 
statements  and  using  the  fact  that  for  any  arbitrary  a'  >  a  implies  that  a'  >  aa  and 
a'  >  a  1,  we  have  our  desired  result. 

Sub-Case  7r.^l/((^)(i).M 

We  have  to  show  that  V<7  G  7r.A/(</?)(i).M,  ??.dom(cj)  D  xo  A  Ma' .{a'  >  a  — >•  £,r,  i,  77  \= 
(pa').  Take  any  arbitrary  a  such  that  a  G  ir.yF (<£>)(*) -if  From  construction  of  7r.A/(^)(Z).K, 
cr  G  SRl  or  cr  G  Sr2  . 

Sub-Sub-Case  a  G 

From  construction  of  Sri:  S ^  <—  {ap  \  ( ap,i )  G  7r.A/(<^)(Z).S/3  A  c  <  0  <  d}. 
From  soundness  of  7r.A/(<^)(i).§(a  we  know  that  \/(ap,k)  G  ThA/^XX-Se-Hom  M  2 
Xi  A  Ti  —  Tfc  <  d  A  Ma" .{a"  >  ap  — >  £,  r,  k,  77  |=  /5 ex'' ) .  We  know  k  =  i  and  xo  = 
Xi-  From  the  semantics  of  S ,  we  know  that  £,  r,  £7 7  |=  (3  A  (c  <  0  <  (Z)  — >• 
£,  r,  i,  7]  j=  (a 5  [Ci(fl/3).  As  a  G  S'/j,  the  soundness  of  7r.A/(v9)(i).§ig  applies  to  a.  From 
construction  we  have  c  <  0  <  d.  Thus  we  have  dom(cr)  D  xi-  From  the  soundness  of 
7t.A/(^)(*).S^  and  semantics  of  S  ,  we  have  Ma'(a'  >  a  — >  £,  r,  i,  77  |=  (a  5  [c^/^cd. 
Sub-Sub-Case  <r  G 

From  construction  there  exists  ap,  aa,  k,  j  such  that  a  =  ap  xi  aa,  a  /  a±, 
{ap,  k)  G  7r..A,(<p)(i).S0,  k  A  h  c  <  Ti  —  Tk  <  d,  (aaJ)  G  7r.A'(^)(i).Sa,  and 
j  <  (k  +  1).  From  the  soundness  of  7r.A/(<^)(*).§(a,  we  have  dom(CTg)  A)  xi  A Tj  —  Tk  < 
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d  A  Ma"  .(a"  >  ap  — >  C,T,k,r ]  |=  fio").  Again  from  the  soundness  of  7r../4/(v?)(*).§a, 
we  have  dom(aa)  D  (%i  U  X2)  A  (Va",  i.(&  <  l  <  i)  A  a"  >  aa  ^  £,  r,  l,  rj  |=  aa').  We 
know  xo  =  Xi  and  <7  =  ap  x  aa  from  which  we  have  dom  0)  2  (XO  U  x2)-  Thus, 
we  have  our  desired  dom(a)  D  \0-  From  the  semantics  of  S  we  have,  C,T,i,rj  \= 
(aS  [i0'hi]/3)  3m  <  i.jC,,T,m,r)  \=  (5  A  lo  <  Ti  —  rm  <  hi  A  Vt.m  +  1  <  l  < 
i  A  C,T,l,r)  j=  a.  From  the  semantics,  combining  the  soundness  of  7r.^l/((^)(i).§ja 
and  7r.M'(<^)(i).SQ,  by  instantiating  m  =  k  and  t  =  l,  and  using  the  fact  that  for 
any  arbitrary  a'  such  that  a'  >  a  implies  that  a'  >  ap  and  a'  >  aa,  we  have  the 
following  C,T,i,r /  |=  (a<S  [c,d\PW- 

(Completeness) 

Sub-Case  7r..A/(<£)(7).§/3 

The  proof  is  exactly  like  the  completeness  proof  of  the  structure  it  .A!  (p){i)  of  <$>rc^]a. 

Sub-Case  7r..A/(<£)(i).Sa 

Take  any  arbitrary  a,  crp,  and  k  such  that  (ap,k)  £  a  >  up,  dom(a)  D 

(xi  U  X2 ) 5  and  Vi. (A;  <  l  <  i  A  £,r,l,r]  |=  aa).  We  have  to  show  that  3a', m. (a  > 
a'  A  m  <  k  +  1  A  (a',  m)  £  A'(ip)(i).Sa). 

Sub- Sub- Case  k<(i-  1) 

We  know  that  Vi. (A:  <  l  <  i  A  £,  r,  i,  7]  |=  aa).  From  this  we  can  write  Vi. (A;  <  l  < 
iA£,T,l,rj  \=  aa)  —>\/l.(k  <  l  <  (i  —  1)  AC,  r,  i,  r]  |=  aa).  We  know  that  7 r  is  weakly 
consistent  at  i  with  respect  to  £,  r,  and  <p.  From  this  we  know  that  n  is  strongly 
consistent  at  i  —  1  with  respect  to  £,  r,  and  ip.  From  the  completeness  of  n.A'(p)(i  — 
l).Sa  we  know  that  3ai,m.(a  >  a\  Am  <  k  +  1  A  (ai,m)  £  TT.A'{p)(i  —  1).SQ).  We 
also  can  write  Vi. (A;  <  l  <  i  A  C,  r,  i,  rj  |=  aa)  — »  £,  r,  i,  rj  |=  aa.  From  investigating 
applicable  mode  judgements  we  see  that  the  ips  completeness  is  applicable.  From 
i.h.  completeness  of  ips  we  know  that  3 <72. (cr  >  (72  A  ff2  £  ips(£,  i,  r,  if,  ap,  a).  We 
see  from  the  construction  of  7r.„4/((/?)(i).§a  that  U2  £  So  far  we  have  a  >  a \ 
and  a  >  a-2-  From  this  we  know  that  a\  x  <72  is  defined  and  a  >  <71  x  a-2-  By 
construction  of  7r.„4'((/?)(i).§a,  (7i  n  72  6  ^update  hence  °i  N  £  if  (<£)(*)•§«• 
Sub-Sub-Case  k  =  (i  —  1) 

We  know  that  Vi. (A:  <  l  <  i  A  C,r,l,r]  \=  aa).  We  also  can  write  Vi. (A:  <  l  < 
iAC ,  r,  i,  7/  |=  cut)  — >•  £,  r,  i,  rj  |=  a<7.  From  investigating  applicable  mode  judgements 
we  see  that  the  ips  completeness  is  applicable.  From  i.h.  completeness  of  ips  we 
know  that  3a2-(a  >  a2  A  02  £  ips(£,  i,  r,  if,  a^,  a).  We  see  from  the  construction 
of  tt.A' (p)(i)3a  that  a2  £  SQ.  Now  we  will  show  that  a2  is  either  in  Shew  or  in 
‘-’update  anc^  hence  in  if„A'(</?)(i).§a. 

Sub- Sub- Sub- Case  V(ai,i)  £  n.A'((p)(i  —  l).Sa.(ai  m  72  /  a2) 

In  which  case  from  the  construction,  the  side  condition  for  02  £  Shew  is  true 
and  consequently  a2^ .A’ [p){i) Sa. 

Sub- Sub- Sub- Case  3(ai,t)  £  Tt.A!(p)(i  —  l).Sa.(ai  x  a2  =  (72) 

From  this  we  can  write  3(ai,i)  £  Tt.A'(pp){i  —  l).Sa.(ai  M  72  =  o"2)  — >  3(a\,t)  £ 
n.A'(ip)(i  —  l).Sa.(ai  x  72  =  aj_).  Moreover,  we  have  7i  x  72  =  a2-  From 
the  construction  of  7r.^l/ (</?)  (i) -Sq.  ,  we  see  that  02  £  Update  an<^  hence  a2  £ 
ft.„4'(</2)(?').§a,  completing  our  proof. 
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Sub-Case  Tr.A'((p)(i)M 

We  have  to  show  that  Va,  rf.dom(a)  D  fv(ip)  AC,  r,i,r]  \=  pa  -A  ( 3a '  £  ir.A!{<p)(i)M..  a  > 
a').  Take  any  arbitrary  a  such  that  dom(cr)  D  fv(p)  and  C,T,i,r /  |=  (aS  \C}d\/3)a.  From 
the  semantics  of  S  we  have  C,T,i,rj  (=  (a  S  \CjCn/3)a  3k. ((k  <  i )  A  C,T,k,r\  |= 
(3a  A  (c  <  Ti  —  Tfc  <  d)  A  VI. (k  <  l  <  i  C,r,l,rj  |=  cur)).  We  have  the  following  two 
cases. 

Sub-Sub-Case  A;  =  * 

From  the  semantics  of  S ,  we  have  £,  r,  i,  rj  (=  /3a  A  c  <  r*  —  t%  <  d  -A  C,  r,  i,  77  |= 
(a  5  [c,d]/3)o'-  From  premise  we  have  dom(er)  D  fv(ip)  from  which  we  know  dom(<r)  D 
fv(p)  D  fv(/3).  We  also  have  t*— t»  <  d.  We  see  the  completeness  of  7r.^l/ (v^)  (*) -S/3  is 
applicable.  We  thus  have  C,t,  i,rj  (=  /3a  -A  3a\.{{a\,i)  £  7r._/l/  (<^>)  (z)  A  (a  >  a\)). 
From  construction  of  Ti.A!{<p)(i)M.,  (a\,i)  £  ir.A'(p)(i)&p,  and  c  <  0  <  d,  we  have 
a  1  £  S'ij1  and  hence  <7i  £  7r.^l/((^)(i).M,  completing  our  proof. 

Sub-Sub-Case  k  <  i 

From  the  semantics  of  S  we  have,  C,  r,  fc,  77  |=  /3a  A  (c  <  t,  —  <  d)  A  VI. ((k  <  l  < 

i)  -A  C,T,l,r]  |=  aa)  -A  C,r,i,rj  |=  (a  S  [c,d\/3)a.  From  premise  we  have  dom  (*)  2 
fv(p)  from  which  we  know  dom(<r)  D  fv{p)  2  fv(/3).  We  also  have  r*  —  t*.  <  d. 
We  see  the  completeness  of  7r.yl/(99)(i).S(a  is  applicable.  We  thus  have  C,T,i,r\  \= 
/3a  A  Ti  -  Tk  <  d  -A  3(7^. ((u/3,  i)  £  A  (cr  >  erg)). 

Investigating  applicable  mode  checking  judgements  and  using  the  Lemma[l]we  have, 
Xi  C  fv((3 )  and  X2  C  fv(a).  We  also  know  from  the  definition  of  the  function 
fv,  fv(aS  [C)d]/I)  =  /u(a)  U  fv(/3).  Thus,  we  have  xi  U  %2  C  fv(a)  U  fv(/3 )  = 
fv(aS  [c,d\P)  2  dom(cr).  We  see  that  the  completeness  of  ir.^^)  is  applicable. 
From  which  we  have  3aa,  m.a  >  aa  A  m  <  (k  +  1)  A  ( aQ,m )  £  7t.^4/ (p) (i).Sa . 

As  we  have  a  >  ap  and  a  >  aa,  ap  x  aa  is  defined  and  a  >  ap  x  cra.  From  the 
construction  of  7T.A7  (</>)(*) -II,  we  know  that  ap  x  aa  £  Sr2  and  hence  ap  x  aa  £ 
7r.^l/ (v7)  («) -1R,  completing  our  proof. 

Proof  of  part  (2):  Mutual  induction  on  the  structure  of  p.  We  show  select  cases  and  other 
cases  are  similar. 


Case  p  =  T. 

(Soundness) 

From  definition  of  ips,  ips(£,  j,  it,  <7in,  T)  =  Soui  =  {cr;n}.  From  premise  1  and  from  mode 
checking  judgement  TRUE],  XCiXF  F  T  :  0.  From  premise  3,  dom(cr)  3  xc  U  XF ■  From 
above,  for  all  a  £  T,out,  dom(cr)  D  xc  U  xf  U  xo  as  xo  =  0-  We  have  to  show  that  Va' .a'  > 


a  A  C,  r,  j,  77 0  |=  Ted.  From  the  semantics,  any  a'  >  a  trivially  satisfy  C,  r,  j,  770  |=  T a' . 

(Completeness) 

Let  a 0  =  (jjn.  Then  by  premise  aQ  <  cr,  and  by  definition  of  ips  cr0  £  £out. 


Case  </?  =  _L. 

(Soundness) 

From  definition  of  ips,  ips(£,  j,  ir,  <7in,  _L)  =  Cout  =  0.  Thus  the  statement  is  vacuously 
true. 

(Completeness) 
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For  any  a,  _Ler  =  _L.  Since  there  are  no  C,  r,  tjq,  and  j  such  that  C.  r,  j.  770  |=  _L,  the  statement 
is  vacuously  true. 


Case  p  =  p(ti, . .  ,,tn). 

(Soundness) 

From  definition  of  ips,  ips  (C,j,  r,  tt,  o-m,  p(ti, . . . ,  tn))  =  T,out  =  sat  (£,j 
,  r,  p(ti, . . .  ,tn),c Jin).  From  premise  1  and  3,  pre-condition  of  the  sat  function  is  satisfied 
(Claim [T]).  From  Claim [lj  for  all  o  G  sat (C,j,T,  p(ti, . . . , 

tn),o in),  dom(cr)  =  xc  U  xf  U  xo-  Thus,  we  can  write,  for  all  o  G  T,out,  dom(cr)  D  xc  U 
Xf  U  xo-  It  remains  to  show  Mo'  .0'  >  o  — >•  £,  r,  j,  r/o  |=  p(ti, . . . ,  tn)o' .  From  Claim  [lj  for  all 
c 7  G  sat(£,  j,  r,  p(ti, . . . ,  tn).  crin) ,  £,  r,  j,  r/o  |=  p(ti, . . . ,  tn)o.  Note  that,  the  function  sat 
returns  grounding  substitution^  for  p(fi, . . .  ,tn).  Thus,  by  Corollary  [I]  for  all  o'  >  o  where 
a  G  sat p(ti, . .  .,tn),crin),  C,T,j,rj0  |=  p(ti, . . .  ,tn)o'  holds. 


(Completeness) 

Let  V  =  fv(p(ti, . . . ,  tn)).  By  the  semantics  of  predicates,  it  must  be  that  dom(cr)  D  V.  Then 
by  premise  and  Lemma  11  r/o  |=  p(fi, . . . ,  tn)[cr  j,  V].  Let  oa  =  o  \.  (V  U  dom(<7jn)). 

Since  <Jin  <  o  by  premise,  a  |  V  <  oQ  <  o.  By  Corollary  [lj  it  follows  that  £,r,  j,  770  |= 
p(tl , . . . ,  tn)cr0. 


Case  ip  =  ipi  V  pi- 

(Soundness) 

Let  Si  •(—  ips(£,  j,  r,  7r,  (7in,  <pi)  and  S 2  <—  ips(£,  j,  r,  tt,  cxin,  </j2).  From  definition  of  ips, 
ips(£,j,  r ,  7T,  crin,  (/?!  V  ^2)  =  £ out  =  Si  U  S2.  Then  ff  G  Si  or  d  G  S2.  W.l.o.g.,  cr  G  Si.  By 
inspection  of  disjunction  mode  judgements  (and  Lemmas [5j[7j  and[8]),  XCiXf  b  Pi  '■  Xi-  By 
I.H.,  dom(cr)  D  (xc  U  XF  U  %i)  and  Vcr'.cr'  >  cr  =>  C,r,j,  r/o  |=  pi  o'.  Since  xo  =  Xi  n  X2, 
dom(cr)  D  (xc  U  xf  U  Xi)  2  (xc  U  xf  U  xo)-  Further,  by  semantics  of  V,  Mo"  .L,  r,  j,  ?/0  \= 
pi 0"  =>  L,  r,j,  770  |=  (pi  V  pi)o" .  Thus,  Mo' . o'  >  cr  ==>  £,r,  j,  770  |=  (y?i  V  cjc2)ct/ ,  which 
concludes  soundness. 

(Completeness) 

If  £,T,  j,Vo  |=  Oi  v  ^2)0-,  then  C,T,j,rj0  |=  pxo  or  £,r,  j,  770  |=  <^2cr.  W.l.o.g.,  £,r,  j,  770  1= 
<^i<t.  Since  /u(</?i)  C  fv(p±  V  </?2),  by  I.H.  there  exists  <r0  G  ips(£,  j,r,  7r,  <7j„,  </?i)  such  that 
cr0  <  o.  By  definition  of  ips,  oa  G  Tiout. 


Case  p  =  p\  A  y>2. 

(Soundness) 

From  the  definition  of  ips, 

ips(£,i,r,7T,c7in,^i  A  </?2)  =  U  ips(£,  j,  t,  it,  oc,  </?i).  Take  an  arbitrary 

ace±ps(C,j,T,Tr,ain,(fii) 

o  G  Sout.  Then  there  exists  oc  G  ips (£,  j,  r,  7r,  crjn,  y?i)  such  that  o  G  ips (£,  j,  r,  7r,  crc,  pi). 
By  inspection  of  the  applicable  mode  checking  judgements  (and  Lemmas [7J  [5| ,  the  inductive 
hypothesis  is  applicable  and  yields  dom(crc)  D  xc  U  XF  U  xi-  Now,  with  the  additional  help 
of  Lemma[8]the  inductive  hypothesis  yields  dom(cr)  D  XC'UxfUxi  Ux2-  Since  xo  =  X1UX2, 
dom(cr)  2  Xc  U  XF  U  XO- 

1  Substitutions  for  all  free  variables 
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It  remains  to  show  that  Vd'.fV  >  a  — >  (£,  r,  j,  rj  o  \=  (ip  iA^)^)).  Take  any  arbitrary  a'  such 
that  o'  >  a.  By  inductive  hypothesis  on  ip2  we  have  £,  r,j,  77 0  |=  y^cF.  Further  a'  >  uc,  since 
cr  >  crc  by  Lemma  12  Then  we  can  apply  the  inductive  hypothesis  and  get  £,  r,  j,  ?/o  |=  yycF. 


From  the  semantics  of  A,  we  have  £,  r,  j,  770  |=  (<pi  A  ip2)c' . 

(Completeness) 

If  C,T,j,rj 0  |=  (v?i  A  <7>2)<L  then  £,r,j,  770  |=  V?i<7  and  £,r,  j.r/o  |=  £20--  Since  fv(ipi)  C 
fv(tpi  A  992),  the  I.H.  is  applicable  and  guarantees  Tier*  G  ips(£,  j,  r,  7r,  oyn,  ipi). <7*  <  <7.  By 
Lemma  12,  also  <7,;  >  oyn,  so  dom(oy)  D  xc  U  xf-  Let  cr^  =  cr  4-  dom(oy)  U  dom(cr2)  U  fv(ip 2), 
which  is  a  prefix  of  <7  and  dom^)  =  dom(oy)  U  dom((72)  U  fv(ip 2),  since  dom(crj)  C  dom(cr) 
and  dom(cr)  D  fv(<p)  D  fv(ip2)-  So  <7,;  <  cr(>  <  cr.  By  inductive  hypothesis  for  soundness,  since 
<^2  —  o"2,  £,  t,  j,  r/o  |=  y,20'2-  Thus  we  can  apply  the  inductive  hypothesis  with  oyn  =  <7 1  and 
get  3a0  G  ips(£,  j,  r,  7r,  ay,  </^2)-<7o  <  cr^.  By  definition  of  ips  ay,  G  X0U£,  and  by  transitivity 

c0  <  (7. 


Case  ip  =  3x.ip. 

(Soundness) 

W.l.o.g.,  we  have  dom(crm)  n  {x}  =  0  as  we  can  rename  x  to  some  fresh  y.  Let  a  G  By 

definition,  ips(£,  j,  r,  n,  ain,  3x.<p)  =  ips(£,  j,  r,  7r,  crin, 

<£>)  \  {x}.  Thus  there  exists  a  t  and  a  oy  G  ips(£,  j,  r,  7 r,  <7in,  y?)  such  that  <7[x  ha  t]  =  ay.  In 
other  words,  a  =  oy  \  {x}.  By  inspection  of  the  mode  checking  judgements,  we  can  apply  the 
inductive  hypothesis,  which  yields  dom(<7i)  D  \C  U  XF  U  Xi  and  Vcr"  >  oy.£,  r,  j,  r/o  |=  p>icr"  ■ 

From  <7  =  7 1  \  {x},  it  follows  that  dom(cr)  =  dom(oy)  \  {x}.  From  dom(<7i)  D  xc  U  xf  U  xi> 
we  have  dom(cri)  \  {x}  D  (xc  U  xf  U  Xi)  \  {£}  =  (xc  \  {£})  U  (xf  \  {£})  U  (xi  \  {£})•  From 
dom(<7 in)  D  xc  U  Xf  and  dom(oy„)  n  {x}  =  0,  we  have  dom(oy)\{x}  D  xcUxfU  (xi  \  {x})  = 
Xc  U  XF  U  XO-  Finally  we  have,  dom(cr)  D  xc  U  XF  U  XO- 

Take  any  arbitrary  o'  such  that  cr'  >  cr.  We  can  write  a'  +  [x  1— >  tj  >  cr  +  [x  1— >  t]  =  ay.  From 
i.h.,  £,  r,  j,  ?/o  |=  ip{o'  +  [iG  f|).  From  semantics  of  3,  we  can  write  £,  r,  j.  r/o  |=  ( [3x.ip)a ' . 

(Completeness) 

£,  r,  j,  r/o  |=  (3x.ip)a  if  and  only  if  there  exists  a  t  such  that  £,  r,  j,  r/o  |=  </9(cr  +  [x  1— >  fj).  From 
premise  we  have  a  >  Oin  and  from  which  it  follows  that  a  +  [x  1— >  t\  >  crin.  From  the  definition 
of  fv  we  have  fv(ip)  C  fv(3x.p> )  U  {x}.  From  premise  we  also  have  dom  (cr)  2  fv(3x.ip). 
dom(<7)  U  {x}  3  f  v(3x.ip)  U  {x}  3  fv(jp).  Thus,  we  can  write  dom  (a  +  [x  ^  t])  D  fv(ip) 
as  dom(<7  +  [1  A  i])  =  dom(cT)  U  {x}.  We  now  see  that  the  i.h.  is  applicable,  from  which 
we  have,  3a0i  G  ±ps(C,j,T,n,ain,ip)  such  that  a  +  [x  1— >  t]  >  (J0i-  From  which  we  can 
write  <7  >  <7 0i\  {x}.  From  the  definition  of  ips,  aQi  \  {x}  G  ips(£,  j,  r,  n,  cr*„,  3x.ip)  which 
completes  our  proof. 

Case  =  \/x.(ipi  -»  tp2). 

(Soundness) 

Consider,  ips(£,  j,  r,  7r,  (7in,  Vx.(<^i  -A  </?2))  /  0-  In  which  case,  ips(£,  j,  r, 

7T,  (7in,  Vx.(<^i  -A  1^2))  =  {cin}-  Consider  any  a\  such  that  <j\  G  ips(£,j,  t, 

7r,  (7in,  991)  and  (72  such  that  <72  G  ips(£,  j,  r,  7r,  ay,  992)-  If  no  such  ay  exists  then  </9  is  trivially 
satisfied,  by  falsifying  the  antecedent,  in  which  case  ips  returns  oyn  and  thus  from  premise 
dom(oyra)  D  xc  U  XfXo  where  xo  =  {}•  If  no  such  ct2  exists  then  ip  is  falsified  the  statement 
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vacuously  holds.  Now  consider  both  u\  and  02  exists.  From  premise  3,  we  know  dom(<7in)  D 
XC  U  xf-  We  also  know  crm  G  ips(£,  j,  r,  n,  crm,  Vx.(y?i  — >  <P2))-  From  mode  checking 
judgements  we  know,  xo  =  0-  Thus,  for  cr  G  ips(£,jjr,  7T,  <7in,Vx.(<^i  — >  (^2));  dom(<r)  D 
xcUxfUxo- 

It  remains  to  show  that  W .(a'  >  a  — >  (£,  r,  j,  r/o  (=  (Vx.(<£>i  — >•  </?2))c/))-  We  know  from  the 
definition  a  =  crin  as  ips(£,  j,  r,  7r,  <7in,  Vx.((/?i  — >  ip 2))  7^  0.  Take  any  arbitrary  a'  such  that 
cr '  >cr  =  crm- 


lnspection  of  the  applicable  mode  checking  judgements  reveals  that  in  all  cases  fv(cj) 2)  C 
Xf U  \'i  (with  transitivity  and  additivity  of  C).  From  premise  (1)  and  Lemma[l]or  Lemma|2j 
Xi  C  fv(<j)  1).  Thus  fv(cf> 2)  C  xc  U  xf  U  fv(cf>  1).  Then  always  fv(cf>  1)  C  xc  U  xf  U  {x},  so 
that  fv((j> 2)  C  xc  U  xf  U  {x}.  Finally,  by  premise  3  we  know  dom(<7in)  D  ( xc  U  Xf),  which 
means:  (C-i)  fv(cj) 2)  C  dom(<7j„)  U  {x}. 

£,r,j,r] 0  |=  (Vx.(v9i  -A  (p2))cr'  is  equivalent  to  VL(£,t,  j,r/0  |=  {ipi){cr'[x  i-A  t])  ->  C,T,j,rj0  \= 
{ip2){<r'[x  i-)- 1])).  Take  any  arbitrary  t  such  that  C,T,j,rj 0  |=  ( ipi)(a'[x  t\). 

[Z]  It  is  thus  sufficient  to  show  that:  £,r,  j,  r/ 0  |=  (ip2)(cr'[x  1 — >•  t] ) . 

By  I.H.  (Completeness),  Boy  G  ips(£,  j,  r,  n,  a-in,  ip\).a\  <  cr'[x  (->•  fj.  By  inspection  of  the 
mode  checking  judgements  and  I.H.  (Soundness),  dom(<7i)  D  dom(cJira)  U  {x}.  From  construc¬ 
tion,  ips(£,j,  r,  7r,  <ti,  (P2)  T  0-  Take  an  arbitrary  a 2  from  this  set.  By  I.H.  (Soundness), 
(C-ii)  02  >  <7i  A£,r,  j,r/0  |=  <P2(T2- 


Now,  we  will  show  that:  [T«S]  3cr™  G  ips(£,  j,  r,  7T,  ui,  1^2) -(^  >  o-™Adom((7™)  C  dom((Tin)U 
{x}  A  £,  r,  j,  :/o  J=  <P2<t™  )•  From  (C-ii),  we  have  (A-II)  £,  r,  j,  770  |=  <P2CT2-  From  Lemma  11 
and  A-II,  we  have  (A-III)  £,  r,  j,  r/o  |=  ¥>2(172  I  fv(<p2))- 

From  Lemma  11,  we  have  (A-IV)  Vcr,  cr',  ¥>.((dom(cr)  =  fv(<p)  A  dom(er)  n  domfd')  =  0  A 
£,T,j,r] o  !=  £«■)  -t  (£,r,j,r?0  |=  (^[cr+fj'])).  From  (C-i),  we  have  (A-V)  /u(^2)  C  dom(fjin)U 
{x}.  It  follows  that:  3T.(/u(^2)  U  Y)  =  dom(<7in)  U  {x}.  From  (A-III),  (A-IV),  and  (A- 
V),  we  have  (A- VI)  £,  r,  j,  r/o  \=  ^(^  i  (dom(<7in)  U  {x})).  (X)  By  I.H.  (Completeness), 
3a™  <  (<72  |  (dom(cJin)  U  {x})).a™  G  ips(£,  j,  r,  7r,  ui,  <p2(x)).  As  cr™  >  <7™,  and  by  I.H. 
(Soundness),  £,r,  j,  r/o  j=  <P2<7™-  Thus,  we  have  shown  the  third  conjunct  of  TS  to  be 
true.  From  (X),  we  know  (Y)  cr™  <  02  i  (dom(<7in)  U  {x}).  It  implies  that  a ™  <  02- 

Thus,  we  have  shown  the  first  conjunct  of  TS  to  be  true.  From  (A-V)  and  from  (Y), 

dom  (^)  C  dom(cj2  f  (dom(<7in)  U  {x}))  =  dom((Jin)  U  {x}.  Thus,  we  have  shown  the  second 
conjunct  of  TS  to  be  true.  This  implies  that  we  have  shown  TS  to  be  true. 

Now,  if  we  can  show  that  cr'\x  1— >  t\  >  a™  then  from  the  third  conjunct  of  TS  and  I.H. 

(Soundness),  we  can  show  £,r,  j, r/o  \=  {ip2){a'[x  i->- t])  to  hold,  a'  >  a™[x  1 — >•  t]  is  equivalent 
to  the  following: 

[U]  Vu  G  dom  (cr™).a™(v)  =  a'[x  i-A  t\(v). 


From  second  conjunct  of  TS.  dom(cr ™)  C  dom(<7in)  U  {x}.  From  this  and  U,  we  can 
say  that  for  all  v  G  dom(a™),  either  (E-l)  v  G  ((dom(<7in)  \  {x})  n  dom  «))  or  (E-2) 
v  G  ({x}  (~l  dom(<7™))  holds. 


Sub-Case  (E-l)  v  G  ((dom((Jin)  \  {x})  H  dom(u™)): 

We  know  a'  >  cr-in.  It  implies  that  cr'{v)  =  ain(u).  We  also  have  dom((j/)  D  dom(<7in). 
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Consider  v  0  {x},  so  [R-l]  a'[x  H >  t](u)  =  0in(u).  We  know  02  >  >  crin  \  {x}.  We  can 

write  <7 2  >  dm  \  {x}.  This  is  equivalent  to  Vui  £  dom((7in)  \  {x}. 02(771)  =  0m  \  (x}(ui). 
We  also  know  from  the  first  conjunct  of  TS  that  02  >  a™.  It  is  equivalent  to  Vu2  £ 
dom(0™). 02(^2)  =  a^iy^).  As  v  £  ((dom(0in)  \  {x})  n  dom(cr™)),  u  £  dom(<7in)  \  {x}  and 
v  £  dom(cj™  ).  It  implies  that  v )  =  02(77)  =  crin  \  (x}(u).  As  v  ^  {x},  it  implies  that 

cr™(v)  =  <7in(v).  From  above  and  R-l,  we  have  0™(u)  =  a'[x  (->■  t\(v). 

Sub-Case  (E-2)  v  £  ({x}  PI  dom(0™)): 

We  have  to  show  that  crVf^v)  =  a'[x  1— >  t](u).  We  know  02  >  0™  which  implies  that 
Vui  £  dom^™). 02(771)  =  As  <7™  £  ips(£,  j,  n,  01,  ^(x)),  we  have  0™  >  01. 

It  implies  that  W2  £  dom(0i). 0^(772)  =  01(772).  We  also  know  a'[x  ' — >•  i]  >  cxi  which 
implies  that  V773  £  dom(<xi).cri(v3)  =  07[x  i-a  ^(773).  By  inspecting  the  mode  checking 
judgements  we  know  {x}  C  xi-  Thus,  we  know  dom(<xi)  C  xc  U  xf  U  {x}.  As  v  £  {x}, 
it  implies  that  v  £  dom(cri).  Thus,  we  have  Vu  £  {x}.a™(v)  =  01(77)  =  a'[x  (->■  t](u) 
completing  our  proof. 


(Completeness) 

We  have  to  show  that  V<7.(<x  >  0jn  A  dom(cr)  D  fv(ip)  A  £,z,r,  77  |=  ipa  — >  3a0(a0  £ 
ips(£,z,  r,  7T,  a in,  Vx.((/9i  — >•  (^>2))  — >•  cr  >  0O).  Take  any  arbitrary  0  such  that  a  >  <jin, 
dom(cx)  A  fv(ip),  and  £,  i,  r,  77  |=  <£>0.  W.l.o.g  we  assume  dom(cr) fix  =  {}  and  dom(cr,ri)nx  = 
{}.  From  semantics  we  know  that,  £,0,7,77  \=  (Vx.((/?i  — >  f2))cr  4==>  VL£,  r,  2,  r/  |=  <^icr[x  i->- 
f]  — >•  £,0,7,77  |=  (/J2<x[^  >->•  t].  Take  any  arbitrary  a'  from  ips(£,  7,  r,  n,  ain,  fi)-  By 

dom(cr/)  C  dom(crjra)  U  fv(ipi).  By  analyzing  mode 


Lemma 


12 


0 


> 


^  in 


By  Lemma 
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checking  judgements:  fv(<p  1)  C  xc  U  Xf  U  {x}  C  dom(0jn)  U  {x}  (by  premise  XC  U  xf  2 
dom(ffin)).  By  analyzing  applicable  mode  checking  judgements  and  ips  soundness  (IH)  we 
have  :  x  C  dom(07).  By  premise,  a  >  Gin  and  fv(tp)  C  dom(cj)  and  {x}  H  dom(cr)  =  {}. 
Again,  fv(<p)  =  (fv(ipi)  U  fv(ip 2))  \  {x}.  Let  a"  =  0  +  [x  1— >  07(x)].  We  will  now  show  that 
cr"  >  cr7.  From  the  definition  of  >,  a"  >  cr7  if  for  any  v  £  dom(cr7).cr77(u)  =  cr7(u).  We  have 
seen  that  dom(<77)  C  dom(<Tjn)  U  {x}.  Thus  for  any  v  £  dom(cr7),  v  £  dom(<7jn)  or  v  £  {x}. 


Sub-Case  v  £  dom(crjn) 

From  Lemma  [l2j  cr7  >  a in.  From  premise  a  >  atn.  o'  >  crin  — y  a'{v)  =  <Xjn(u). 
<7>oin^r  a(y)  =  ain(v )  -A-  cr(u)  =  cr77(u)  =  cr'(v). 

Sub-Case  v  £  {x} 

v  £  x  — >  cr'(v)  =  cr" (v)  by  construction  as  no  other  variables  in  domain  of  cr7. 

Thus  we  have  a"  >  cr7.  By  analyzing  the  applicable  mode  checking  judgements  we  see  that 
ips  soundness  is  applicable.  From  ips  soundness  we  have  C,i,T,r]  (=  </qcr77  =  C,i,T,rj  |= 
<^icr[x  i-)-  cr7(x)].  Let  us  also  assume  t  4—  cr7(x).  By  premise  and  the  semantics  of  universal 
quantifier:  £,  i,  r,  r)  \=  ^p2cr\x  1— >  t\.  From  mode  checking  judgements  we  know  that  XC,  XF  U 
Xi  b  ^2  ■  X2  ■  From  premise  we  have  i  >  j  and  Ti  —  Tj  >  A  (ip)  >  A(</?2)-  From  ips  soundness 
of  tp\ ,  we  know  dom(cr7)  D  xc  U  XF  U  Xi  ■  From  premise  we  know  that  7r  is  consistent  at  i 
with  respect  to  £,  r,  and  if  (^>2)-  We  have  shown  cr  >  crin.  We  also  have  fv(f2)  Q  dom(cr77) 
as  fv(tp2)  C  xc  U  xf  U  Xi  C  dom(cj7)  C  dom(cr77).  We  also  have  £,  i,r,  77  |=  <^2cr[^  L- 
Hence  we  see  that  ips  completeness  is  applicable.  By  ips  completeness  (IH)  we  have 
302  £  ips(£,  i,  r,  7T,  07,  <^2)-<X2  <  cr[x  1— >  t\.  Thus,  ips(£,  i,  r,  7T,  07,(^2)  7^  {}.  Thus,  there 
does  not  exist  a  0  £  ips(£,  i,  r,  7 r,  0jn,  <p\)  such  that  ips(£,  i,  r,  7 r,  0, 992)  =  {}• 

Thus,  ips(£,  i,  r,  7T,  0j„,  Vx.(^i  — >  ^2))  =  Now  by  premise  0jn  <  0. 


49 


Case  ip  =  ipi  S  [c^2- 

(Soundness) 


Sub-Case  B  G  label  (if) 

From  the  definition  of  ips,  we  get  ips (£,j,  r,  7 r,  oin,  ipi  S  [Cid]^2)  =  *  n.A(ipi  S  [c,d]</>2)(j).K- 

We  can  say  that  for  all  cr  G  ips(£,  j,  r,  7r, 

(Jin,  S 1P2)  where  cr  /  0,  there  exists  a  <Ti  G  ir.A(ipi  S  rc,rf] ^2 ) 0 ) -^  such  that  a  =  (Jin  x 
a \.  We  have  to  first  show  that  for  all  a  G  ips(C,j,  r,  n,  om,  ipi  S  \cMip2),  dom  V)  2 
XC  U  xf  U  xo-  From  premise  3,  Lemma  [f~4]  (1),  and  Definition  [7|  dom(<Jin)  D  xc  U  XF 
and  dom((Ji)  D  xo-  As  a  =  C7in  x  o\  and  cr  /  0,  we  can  see  that  dom(cr)  D  XC^Xf^XO- 
It  remains  to  show  that  Vcr7 .(o'  >  a  — >•  (£,  r,  j,  770  |=  Vi  5  [c,d]£2  VO)-  Take  any  arbitrary, 
cr'  such  that  o'  >  o.  As  o  =  cr;n  x  <ti  and  cr  7^  0,  we  can  write  o'  >  cr  1 .  From  Lemma  14 

£,T,j,rjo  |=  ViS[c>d]</?2Vi- 


(1)  and  Definition [7J  we  know  that  Vcr(.cr(  >  o\ 

It  follows  that  £,  r,  j,  770  |=  (<^?i  «S  rc,d] ¥?2)cr/,  completing  the  proof. 


Sub-Case  B  0  label  (ip) 

Take  an  arbitrary  a  G  S0«i-  By  definition,  S0Ui  =  ips(£,  j,  r,  7r,  <Tin,  ipi 

S  [c,rf] ^2)  =  SV  U  5r2.  Thus,  cr  G  5Rl  or  cr  £  Sr2. 

Sub-Sub-Case  cr  G  5^ 

From  definition  of  5^,  we  know  that  cr  G  ips  (£,  j,  r,  7r,  crin,  <^2)  and  c  <  0  <  d.  We 
first  show  that  dom(cr)  D  (xcUxfUxo)-  From  premise  3,  we  know  that  dom(crin)  D 
(Xc  U  xf)-  From  the  mode  checking  judgements  for  S  and  I.H.,  dom  (cr)  2  (xc  U 
Xf  U  xi).  Since  xo  =  Xi  by  the  applicable  judgements,  dom(cr)  D  (xc  U  xf  U  xo)- 
It  remains  to  show  that  Vex' .(o'  >  a  — >  (£,  r,j,  77 0  |=  (ipi  S  [Cid]</?2) 
cr')).  Take  an  arbitrary  cr'  such  that  a'  >  a.  From  the  semantics  of  S  we  know 
that,  £,  r,  j,  770  |=  (</h  <5  [c.d^cr'  if  and  only  if  there  exists  k  G  N  and  k  <  j  such 
that  (c  <  Tj  —  Tfc  <  d)  and  C,r,k,  770  |=  ip^o'  and  for  all  l  G  N  such  that  k  < 
l  <  j,  it  implies  that  C,T,l,r 70  |=  f^icr'  holds.  So  if  £,  r,  j,  7/0  |=  </92ct7  holds  and 
c  <  0  <  d,  then  £,  r,  j,  770  (=  (</?i  5  [c^j^V7  holds.  Now  from  construction,  since 
cr  G  ips(£,  j,  t,  7 r,  crm,  <^2),  c  <  0  <  d,  and  cr7  >  cr,  by  inductive  hypothesis  it  follows 
that  £,r,j,  770  |=  (<^2)cj7.  From  this,  it  follows  that  £,r,  j,  770  |=  (<^1  5  [c,d]£2V7. 

Sub- Sub- Case  cr  G  5ij2 

Then  there  exist  (erg,  k )  G  5/3  and  cr",  such  that  c  <  Tj  —  Tk  <  d,  txlcr"  =  cr  and  k  <  j 
and  for  all  l  with  k  <  l  <  j  we  have  cr"  G  ips(£,  l,  r,  7r,  a/3,  ipi).  For  brevity,  from 
here  on  we  assume  l  is  sufficiently  restricted  to  the  domain  of  of.  By  construction, 
erg  G  ips(£,  k,  r,  7T,  Oin,  y?2).  By  inductive  hypothesis,  dom(crg)  D  xc  U  xf  U  xi,  and 
since  xo  =  Xi,  dom(cr/3)  D  xc  U  xf  U  xo-  Now  by  Lemma  [12}  VLcr"  >  o@.  Thus, 
VLdom(<r")  D  xc  U  XF  U  XO,  and  so  dom(cr)  D  xc  U  XF  U  XO- 

It  remains  to  show  that  Vcr7.(cr7  >  cr  — >•  (£,r,  j,  770  |=  ((/?i  5  [c  rf](/32)cr7)).  Take  any 
arbitrary,  <r7  such  that  o'  >  cr.  Then  cr7  >  <rg,  so  by  inductive  hypothesis  £,  r,  770  |= 
(/?2cj7  and  also  c  <  Tj  —  Tk  <  d.  Also  VZ.er7  >  cr",  so  that  again  by  inductive  hypothesis 
£,  r,  l,  770  |=  Vhc7.  The  semantics  of  S  is  £,  r,  i,  770  |=  (</?i  S  \c,d]<P2)o'  3m  G  N.(m  < 
i  A  £,  r,  777, 770  |=  <£>2cr7  A  (c  <  Tj  —  rm  <  d)  A  V7  G  N.((t77  <  l  <  ?')  — >•  £,  r,  i,  ?7o  |=  acr7)). 
Instantiation  of  777  with  fc  and  7  with  j  lets  us  conclude. 


(Completeness) 

£,T,j,r]o  \=  (ipiS  [c,d] £2)^  if  and  only  if  £,r,j,  770  V  Vic)5  [c,rf]  (^2cr)  if  and  only  if  there 
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exists  k  <  j  such  that  c  <  Tj  —  77.  <  d,  C,T,k,r]o  |=  <p2o  and  for  all  l,  where  k  <  l  <  j, 
C,r,l,r]o  \=  tpicr.  Let  k  be  maximal. 

Sub-Case  B  €  label(<p\S  [c.dV-P?) 

Since  B  G  label(ipiS  [C)d]^2),  there  exist  xf,  Xo  with  dom(Xo)  ^  fvfaiS  [c4]p 2),  xf  = 

Xo  and  xf,  such  that  0  hB  <pi  :  Xa  ■  xf  bB  £2  ■  xf  and  thus  Xc  hB  ^5^  :  Xo- 
Let  o'  =  <7  |  Xo-  Note  that  dom(u/)  =  Xo,  since  dom(a)  D  fv(ip\S  r c,d]¥32)-  Since  n  is 
strongly  consistent  at  i  with  respect  to  £,  r,  and  tp  and  j  <  i,  n  is  well- formed  at  j  with 
respect  to  tpx  S  [cAp2,  A  and  r  (T(£,  r,  tt,  991 5  M 

t P2,j))-  So,  by  Definition  [6]  (Statement  6  of  <piSip2)  o'  G  F.A(<p\  Snp2)(j). 

M.  Let  <r0  =  om  ixi  a' .  Note  that  oQ  ^  0,  because  o’  is  a  prefix  of  a,  which  itself  is  an 
extension  of  crm.  Thus  aQ  G  S,out.  By  the  same  arguments  also  o0  <  o. 

Sub-Case  B  $  label  (ipi  S  [c,rf]  V?2) 

Sub-Sub-Case  k  =  j. 

Since  fv(tp2)  C  fv(ipi  S  [c,d]<^2),  by  inductive  hypothesis  3u0  G  ips(£,  j,  r,  7r,  crin,  vj2).ct0  < 
(j.  By  construction,  (oQ,j)  in  S/3.  As  j  =  k,  Tj  —  Tfe  =  0,  so  from  premise  c  <  0  <  d. 

Thus  do  G  SRl  and  so  <r0  G  E0Uf. 

Sub-Sub-Case  k  <  j. 

Then  analogous  to  the  previous  case  3o2  G  ips(£,  k,  r,  tt,  <jin,  <p2).o2  <  o.  From 
premise  we  have  c  <  tj  —  77.  <  d.  Also,  for  all  l  such  that  j  >  l  >  k  a2 
ips  (C,l,r,  7T,  ain,  p2),  or  k  would  not  be  maximal  for  a.  Thus,  (<r 2,k)  G  SV2 .  By 
inspection  of  the  mode  checking  judgements  (and  lemmas)  and  soundness,  dom(<r2)  D 
XcUX'oUxi-  Thus,  by  I.H.  for  all  l  with  k  <  l  <  j,  3<r“  G  ips(£,  l,  r,  7r,  o2,  (pi). of  < 
a. 

Since  all  of  are  <  <r,  the  join  a0  =  exists  and  oD  <  a.  Furthermore,  by 

construction  aD  G  Sr2  and  so  oa  G  S,out. 

Case  <p  =  ipxU  [c,d]<p2. 

(Soundness) 

Take  an  arbitrary  a  G  £0?u-  By  definition,  T,out  =  ips  (C,j  ,  T,  F,  Gin,  U  [c,d] 

£2)  =  SRl  U  Sr2.  Thus,  a  G  SR]  or  <r  G  Sr2. 

Sub- Case  a  G  SRl 

From  definition  of  SRl,  we  know  SRl  =  ips(£,  j,  r,  n,  crin,  p>2)  and  c  <  0  <  d,  so  o  G 
ips  (A  j,  t,  7 r,  (Tin,  £2)-  We  first  show  that  dom(cr)  D  xc  U  XF  U  Xo ■  From  premise  3,  we 
know  that  dom(crin)  D  ( xc  U  Xf)-  From  the  mode  checking  judgements  for  UNTIL  and 
I.H.,  dom(cr)  D  XC  U  XF  U  Xi-  Since  xo  =  Xi  by  the  applicable  judgements,  dom  (*)  2 
xc  u  XF  u  xo- 

It  still  remains  to  show  that  Ma' .(o'  >  o  — >  (C,T,j,rjo  |=  (pi U  [c,dl£2 )^'/))-  Take  any 
arbitrary,  o'  such  that  o'  >  o.  From  the  semantics  of  U  we  know  that,  £,  r,  j,  r/o  |= 

(ipi  U  [c,d\P 2)®'  if  and  only  if  there  exists  k  G  N  where  k  >  j  and  c  <  (r/;  —  Tj)  <  d,  such 
that  C.  t,  k,  r/o  |=  p>2&'  and  for  all  /  G  N  such  that  j  <  l  <  k,  it  implies  that  C.  r,  l,  r/o  \= 
p\o'  holds.  So  if  C.  r,  j,  r/o  |=  p2o'  and  c  <  0  <  d  holds,  then  £,  t,  j,  77 0  |=  (pi  U  \c.d]'p2)o' 
holds.  Now  since  o  G  ips(£,  j,  r,  tt,  o\n,  ip2),  by  I.H.  it  follows  that  £,  r,  j,  r/o  |=  (^jcr7, 
and  so  £,r,j,  r)0  |=  (^i^  [c^]^)^. 

Sub-Case  <n  G  Sr2 
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Then  there  exist  (erg,  k)  G  S^2  and  af,  such  that  Mcr"  =  cr  and  k  >  j  and  V/.(j  <  l  <  k  — > 
af  G  ips(£,  l,  t,  ir,  ap,  (pi).  For  brevity,  again  assume  l  restricted.  By  construction,  a/3  G 
ips (C,  k,  t,  ir,  ain,  (£2)  and  c  <  (r^  —  Tj )  <  d.  From  premise  3,  we  know  that  dom(crin)  A 
Xc  U  xf-  From  the  mode  checking  judgements  for  UNTIL  and  I.H.,  dom(crg)  A  ( xc  U 
Xf U Xi) •  Since  xo  =  Xi  by  the  applicable  judgements,  dom(cr)  A  XC^Xf^Xo-  Now  by 
Lemma  12,  V/.cr"  >  ap.  Thus,  V7.dom(cr“)  A  XC^XF^XO-,  and  sodom(er)  A  XC^XF^XO- 
It  remains  to  show  that  Ma' .(a'  >  cr  — >  (C,T,j,rjo  |=  (pp\U  [0,^2)^'))-  Take  any  arbitrary, 
a'  such  that  a'  >  a.  Then  a'  >  ap,  so  by  inductive  hypothesis  C,T,k,rj 0  |=  ^>2®' •  Also 
VLcr'  >  (t“,  so  that  again  by  inductive  hypothesis  L,t,1,t\ 0  |=  ^icr'.  The  semantics  of 
U  is  C,T,j,r]o  |=  (p\U  [cwF 2)®'  if  and  only  if  there  exists  rn  G  N  where  rn  >  j  and 
c  <  (rm  —  Tj)  <  d,  such  that  C,  r,  m,  rj 0  |=  tp2a'  and  for  all  /  G  N  such  that  j  <  l  <  rn,  it 
implies  that  C,t,1,t]q  \=  ip\a'  holds.  Instantiation  of  m  with  k  lets  us  conclude. 


(Completeness) 

A  T,  j,  770  1=  ipp\U  [cpy-p2)a  if  and  only  if  C,T,j,rj0  J=  ((pia)U  [Cjd]((p 2a)  if  and  only  if  there 
exists  k  >  j,  such  that  c  <  T}.  —  Tj  <  d,  L,r,k,r\ 0  |=  <p2cr,  and  for  all  l  where  j  <  l  <  k 
C,T,l,ij 0  |=  <p\a.  W.l.o.g.  k  is  minimal. 


Sub-Case  k  =  j 

Since  fv(ip2)  C  fv[pp\U  rc,rfi <^2) ,  by  inductive  hypothesis  3a0  G  ips(A 
j,T,'K,ain,ip2)-Vo  <  cr.  Since  c  <  0  <  d  and  construction  of  S^2,  (a0,j)  in  thus 
aQ  G  S r^  and  so  aQ  G  Yjou^. 

Sub-Case  k  >  j 

Then  analogous  to  the  previous  case  3<72  G  ips(A  k,  r,  n,  ain,  ^2)^2  <  cr-  Also,  for  all 
l  <  k  a2  ips(A  l,  t,  ir,  ain,  F2),  or  k  would  not  be  minimal  for  a.  Thus,  ( 02,  fc )  G  SV2 . 
By  a  >  am,  dom(<r)  A  dom(crjn)  A  xc  U  XF-  By  inspection  of  the  mode  checking 
judgements  (and  lemmas)  and  soundness,  dom(cr2)  A  xc  U  xo  U  Xi-  Thus,  by  I.H.  for 
all  l  with  j  <  l  <  k,  3cr"  G  ips(A  l,  r,  ir,  a2,  <£>i).cr“  <  a.  Since  all  cr“  are  <  a,  the  join 
aQ  =  tX]cj“  exists  and  aQ  <  a.  Furthermore,  by  construction  aQ  G  Sr 2  and  so  a0  G  T,out. 


□ 


The  following  lemma  states  that  the  number  of  substitutions  returned  by  ips  is  finite.  It  also 
states  that  the  size  of  our  state  n  (which  stores  the  summary  structures)  is  also  finite.  The  following 
lemma  is  used  to  show  the  termination  of  ips,  uSS,  and  consequently  checkCompliance. 

Lemma  15  (Finite  substitutions).  1.  For  all  formulas  <p  of  form  either  <p\S  fip2,  <$>1  V,  E\fP,  or 
01  <p,  such  that  B  G  label(ip),  for  all  i  G  N,  for  all  logs  C,  for  all  time  stamp  sequences  r, 
for  all  state  7 r  =  (A,  i )  such  that  tt  is  weakly  consistent  at  i  with  respect  to  C,  t,  and  p>,  if 

(  Y(7t,  i,  <p)  )  +  T(tt,  i  —  1,  tp)  is  finite  then  ^ ]T(Tc,i,ip )  is  finite  where  7 r  =  {A,i) 

(^Gb-s-tsub(c^)  (,3Gb-tsub((p) 

and  7 r  =  uSS(C,  i,T,TT,p>). 

2.  For  all  formula  (p,  for  all  j  G  N,  for  all  logs  C,  for  all  time  stamp  sequences  r,  for  all 
state  it  =  ( A,i )  where  i  G  N,  for  all  substitution  ain,  for  some  given  xc  and  Xf>  such 
that:  (1)  XC,XF  b  P  :  Xo,  (2)  i  >  j  and  -  Tj  >  A  (ip),  (3)  dom(ain )  A  xc  U  XF,  (4)  f 
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is  strongly  consistent  at  i  with  respect  to  p,  t,  and  C,  (5)  (  p)  J  is  finite,  if 

<£>Eb-tsub(y?) 

ips(C,j,T,7T,ain,p )  =  Pout  then  |S0lrf|  is  finite. 

Proof.  Note  that,  when  uSS  is  called  for  a  B-formula  p,  it  calls  ips  on  strict  subformulas  of  p. 
However,  ips  does  not  call  uSS  directly  and  hence  we  do  not  have  any  cyclic  dependency.  Mutual 
induction  on  the  structure  of  p.  We  show  select  cases.  Other  cases  are  similar. 


Case  p  =  T. 

According  to  the  definition  of  ips,  ips(£,  j,  r,  ir,  am,  T)  =  Pout  =  {om}.  Thus,  \T,out\  =  1  and 
is  thus  finite. 

Case  p  =  _L. 

According  to  the  definition  of  ips,  ips(£,  j,  r,  ir,  ain,  _L)  =  Pout  =  0.  Thus,  \Pout\  =  0  and  is 
thus  finite. 

Case  p  =  p(ti,...,tn). 

According  to  the  definition  of  ips,  ips(£,  j,  r,  n,  ain,  p(t\, . . .  ,tn))  =  T,out  =  sat  (£,  j,r,  p(ti, . . .  ,tn),ain). 
From  premise  (1)  we  can  say  the  pre-condition  of  the  sat  function  (Claim[l])  is  satisfied.  From 
Claim [TJ  we  can  say  that  \Pout\  is  finite. 

Case  p  =  p\  V  p^. 

Let  Si  <—  ips(£,  j,  r,  7r,  (j,n,  (^i)  and  S2  <—  ips(£,  j,  r,  n,  Uin,  p-fi).  According  to  the  defini¬ 
tion  of  ips,  ips(£,  j,  t,  7T,  pi  V  P2)  =  'Pout  =  Si  U  S2.  From  premise  1  and  inspecting  the 
mode  checking  judgements,  we  can  say  the  inductive  hypothesis  is  applicable.  By  inductive 
hypothesis,  |Si|  and  | S2 1  are  both  finite.  Thus,  |Sout|  is  finite. 

Case  p  =  pi  f\  p2- 

From  the  definition  of  ips,  ips (£,  J,  r,  7 r,  crin ,  px  A  pfi)  =  S out  where 

Pout  =  UCTceips(£,ir,7r,CTin,v5i)  j,T,n ,  ac,p2).  From  premise  1  and  inspecting  the  mode 

checking  judgements,  we  see  that  the  inductive  hypothesis  is  applicable  to  ips(£,  j,  r,  7 r,  crin,  p{). 

Let  Si  4—  ips(£,  j,  r,  7T,  crin,  pi).  By  inductive  hypothesis,  |Si|  is  finite.  For  all  ac  e  Si, 
ips (C,j  ,  r,  7T,  crc,  P2)  is  called.  We  also  see  that  from  premise  1  and  inspecting  the  mode  check¬ 
ing  judgements,  the  inductive  hypothesis  is  applicable  to  ips(£,  j,  r,  ir,  ac,  pfi)  =  S2  for  some 
ac  E  Si.  By  inductive  hypothesis,  each  such  | S2 1  is  finite  from  which  it  follows  that  |S0Ut|  is 
finite. 

Case  p  =  3x.p. 

Let  Si  4—  ips (£,  j,  r,  7r,  avn,  3x.p )  According  to  the  definition  of  ips,  ips(£,  j,  r,  7 r,  c jjn,  3x.p)  = 

S out  =  Si  \  {T}.  From  premise  1  and  inspecting  mode  checking  judgements,  we  see  the  induc¬ 
tion  hypothesis  is  applicable.  By  inductive  hypothesis,  |Si|  is  finite  from  which  it  follows  that 
\Pout\  is  finite. 

Case  p  =  \/x.(pi  — >  P2). 

Let  S 0ut  4—  ips(£,  j,  r,  7r,  (jjra,  Vx.(t/9i  -A  P2))-  Pout  can  be  either  0  or  {<7jn}  according  to  the 
definition  of  ips.  In  both  cases,  |S01it|  is  finite. 
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Case  p  =  ip\S  \c,d\  and  B  E  label  (p) 


Sub- Case  To  show  (1): 


Given  ^  y^  T(7r,  i,  p)\  +  T(7i r,  i  —  l,y>)  is  finite  to  show  that  E  T(7r,*,^)  is  fi- 

(£>Eb-s-tsub(</?)  c13>Gb-tsub((>c>) 

nite,  it  is  sufficient  to  show  that  E  T{TT,i,p)-i  y  T(n,i,<p)  -  T(vr,i  -  l,p) 

(^Gb-tsub((/?)  (^Eb-s-tsub^) 

is  finite.  From  the  definition  of  T  (Definition  9),  we  know  that:  E  T(t r,i,p)  - 

(p£b-tsub((p) 

T  T(7T,i,^)^  -T(7T,*-  1,  </?)  =  (|7T.^(^)(*).Sa|  +  |7T.v4(<^)(z).SJg)|  +  \n.A(p) (i) .M| ) . 

y?Eb-s-tsub((/?) 


Thus,  it  is  sufficient  to  show  that  (|7t.„4.(<^)(*).§q|  +  |7t.^4(^j) (z) |  +  |7r..4(</?)(i).M|)  is  fi¬ 
nite.  We  will  show  that  the  following  are  all  finite:  |7r.*A(<^)(?).§a|,  \TT.A(p)(i).E>/3\,  and 

By  construction,  |7r.^l,((/?)(i).§^|  <  \n.A!{p)(i  —  1 ) .Sg |  +  | EUg | .  From  definition  of  E^,  we 
know  that  E^  <—  ips(£,  *,  r,  7r,  •,  pz).  From  premise,  Lemma [4j  and  consulting  the  appli¬ 
cable  mode  checking  judgements  (and  Lemma  [5j  [8]),  we  see  that  the  inductive  hypothesis 
of  (2)  is  applicable.  By  inductive  hypothesis,  | Eg |  is  finite  and  let  us  assume  it  is  m\.  From 
the  premise,  we  know  that  \ft.A! {p)(i  —  1 ) .Sg |  is  finite  and  let  us  assume  it  is  m2.  Thus, 

\tt .A' (p)(i).Sp\  <  m\  +  m2,  which  is  also  finite. 

Again  by  construction,  |7f.„4/(<^)(i).SQ,|  <  (x.\k.A!{p)(i  —  lj-Sajl  +  lEQ,!).  From  the  induction 
assumption,  we  know  that  \Tt.A'(p)(i  —  l).Sa)|  is  finite  and  thus  to  show  |7f.A,/((^)(i).SQ|  is 
finite  it  is  sufficient  to  show  that  |EQ|  is  finite. 

We  will  now  show  that  |Ea|  is  finite.  To  construct  EQ,  in  the  worst  case,  for  all  (a,  k )  pairs 
in  n.A'(p)(i)Sp ,  ips(£,  i.  r,  7r,  <t,  p\)  is  called.  From  the  premise,  Lemma[4j  and  consulting 
the  applicable  mode  checking  judgements,  we  see  that  the  inductive  hypothesis  of  (2)  is 
applicable.  By  inductive  hypothesis  of  (2),  each  call  to  ips(£,  i,  r,  n,  a,  p\)  returns  a  finite 
set  of  substitutions.  Let  us  assume  the  maximum  cardinality  of,  all  the  sets  of  substitutions 
returned  by  the  calls  to  ips,  is  m3.  Thus  by  construction,  |EQ|  <  (mi  +  m2)  x  m3,  which 
is  finite.  It  follows  that  |7r.„4/(<£>)(i).SQ,|  is  finite. 

From  construction  of  Tt.A!{p)(i)M,  we  know  that  Tt.A!(p){i)M.  =  U  Sr2.  Thus, 
|7f.„4/(</?)(i).R|  <  IjSjjJ  +  |  Sr2  I .  We  will  show  that  ISrJ  and  \Sr2\  are  both  finite,  con¬ 
cluding  our  proof. 

From  construction,  ISrJ  <  |7r._4./(c/?) (z) .Sg | .  As  |7f.„4/(</?)(z).S(g)|  is  finite  (shown  above), 
\Sfit  |  is  finite. 

From  construction,  \Sr2\  <  |-7r._4./ (t,^) (z) .Sg |  x  |7t..4/(<£)(z).§q)|.  As  shown  above,  | (eg) (z) .Sg | 
and  |7r.^l/((^)(*).SQ,|  are  both  finite.  This  concludes  our  proof  that  \Sr2\  is  finite  and  in  turn 
|7f.„4'((^)(i).M|  is  finite. 


Sub-Case  To  show  (2): 

Let  Ei  <—  n.A(piS  [c,ri] A2)('0-EL  From  the  definition  of  ips,  ips(£,i,  r, 

TT,a-m,piS  [C)d]p 2)  =  Tjout  =  <7in  X  n.A(piS  [cg] P2) (*) -R-  As  we  are  given  by  the  premise 

that  (  ^^T(7t,  i,  p)  I  is  finite,  we  know  that  |Ei|  is  finite.  It  follows  that  |E01tj|  is  finite. 

(£>Eb-tsub(</?) 
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Case  p  =  (piS  [c,^]^  and  B  0  label (p) 

According  to  the  definition  of  ips,  ips(£,  j,  r,  n,  p\S  [^^2)  =  £ out  =  Srx  U  Sr2.  It  is 
sufficient  to  show  that  ISrJ  and  \Sr2\  are  both  finite. 

We  will  first  show  that  by  inductive  hypothesis,  | Sp  |  is  finite.  In  the  worst  case,  c  <  Tj  —  T$  <  d, 
that  is  all  prior  trace  positions  satisfy  the  interval  constraint  [c,  d] . 

Let  us  now  consider,  for  all  l  where  0  <  l  <  j,  m  =  max |£i|.£i  4—  ips (£,  l ,  r,  n,  ain ,  <^2).  The 
maximum  size  of  \Sp\  can  be  (j  +  1)  X  m  by  construction.  By  the  inductive  hypothesis,  m  is 
finite.  As  j  G  N  is  finite,  it  follows  that  |£g|  is  finite. 

By  construction,  as  S r1  C  Sp,  <  \Sp\  and  it  follows  that  ISrJ  is  finite. 

By  construction  of  Sr2,  for  each  (a/3,  k)  G  S/3  where  k  /  j,  ips(£,  q,  r,  tv,  ap, 
pi)  is  called  for  all  q  such  that  k  <  q  <  j.  By  inductive  hypothesis,  \2jps(C,q,T,Tv,ap,p{)\  is 
finite  and  let  us  say  for  all  q  such  that  k  <  q  <  j,  mi  =  max\T,2\.T,2  4—  ips(£,  q,  r,  n,  ap,  pi). 
By  construction  (IX]  of  all  substitutions  for  all  positions  q),  \ Sf{2  \  is  finite. 

Thus,  it  follows  that  |S0U^|  is  finite. 

Case  p  =  piU  [crfP2- 

According  to  the  definition  of  ips,  ±.’ps(C,j,T,TV,pilA\Ci(np2)  =  £ out  =  Sr  1  U  Sr2.  It  is 
sufficient  to  show  that  | |  and  \Sr2\  are  both  finite. 

We  will  first  show  that  by  inductive  hypothesis,  \Sp\  is  finite.  Let  us  consider,  for  all  l  where 
b  <  l  <  e,  l  >  j,  e  is  the  minimal  position  such  that  re  —  tj  >  d,  b  is  the  minimal  position 
such  that  c  <  Tb  —  Tj  <  d,  and  m  =  max|£i|.£i  4—  ±ps(C,l,T,Tv,ain,p2)-  From  premise  2, 
we  can  say  that  such  a  finite  e  exists.  The  maximum  size  of  |  |  is  less  than  (e  —  b)  x  m  by 

construction.  By  the  inductive  hypothesis,  m  is  finite.  As  e  G  N  is  finite,  it  follows  that  \Sp\  is 
finite. 

By  construction,  as  Srx  C  Sp,  ISrJ  <  \Sp\  and  it  follows  that  \Srtt  \  is  finite. 

By  construction  of  Sr2,  for  each  ( ap,k )  G  Sp  where  k  >  j ,  ±ps(C,q,T,TV,ap, 
pi)  is  called  for  all  q  such  that  j  <  q  <  k.  By  inductive  hypothesis,  |ips(£,  q,  t,  n,  ap,  pi)\  is 
finite  and  let  us  say  for  all  q  such  that  j  <  q  <  k,  mi  =  Tnax\Y,2\.T,2  4—  ips(£,  q,  r,  tv,  ap,  pi). 
By  construction  (IX]  of  all  substitutions  of  all  positions  q),  |5r2|  is  finite. 

Thus,  it  follows  that  is  finite. 


□ 


Lemma  16  (Termination).  For  all  formula  p,  the  following  holds: 

1.  For  all  logs  C,  for  all  time  stamp  sequences  t,  for  all  j  G  N,  for  all  substitution  ain,  for  all 
state  tv  =  ( A,i )  where  i  G  N,  for  some  given  XC,Xf  such  that:  (1)  xc-,Xf  b  P  '■  XO>  (%) 
dom(ain)  2  XC  U  XF,  (3)  tv  is  strongly  consistent  at  i  with  respect  to  p,  t,  and  C,  (4)  i  >  j 
and  Ti  —  Tj  >  A(p),  then  ips(C,  j,T,vv,  Oin,  p)  terminates. 

2.  For  all  logs  C,  for  all  time  stamp  sequences  t,  for  all  iGN,  for  all  state  tv  =  (A,  i)  such  that 

p  is  either  of  form  p\  S  [Cyd]F  2,  □  [c,d]£?  or  Q[c,d]F  such  that  0  h  r  P  '■  XO,  and  vr  is 

weakly  consistent  at  i  with  respect  to  p  and  C,  then  uSS(C,  i,  r,  tv,  p)  terminates. 


55 


Proof.  Mutual  induction  on  the  structure  of  <p.  We  show  select  cases  and  rest  of  the  cases  are 
similar. 


Case  <p  =  T. 

ips (C,j  ,  7T,  (Tin,  T)  terminates  trivially. 

Case  ip  =  _L. 

ips(£,  j  ,  7T,  a in,  _L)  terminates  trivially. 

Case  ip  =  p(ti,...,tn). 

According  to  the  definition  of  ips,  ips (C,j,  r,  7 r,  (jm,  p(ii, . . . ,  tn))  =  = 

sat (£,j,  t,  p(ti, . . . ,  tn ),  (Tin).  From  premise  (1)  we  can  say  the  pre-condition  of  the  sat  func¬ 
tion  (Claim  [l])  is  satisfied.  From  Claim  [lj  we  can  say  that  sat  terminates  and  from  it  follows 
that  ips (£,  j,  t,  tt,  a in,  p(H, . . . ,  tn))  terminates. 


Case  ip  =  pi  V  p2  ■ 

According  to  the  definition  of,  ips(£,  j,  r,  tt,  ain,  <p\  V  P2)  =  ips(£,j,  r,  7r,  Oin,  ip{)  U 
ips  (C,j  ,T,TT,ain,ip2).  From  premise  1  and  inspecting  the  mode  checking  judgements,  we  can 
say  the  inductive  hypothesis  is  applicable.  By  inductive  hypothesis,  ips(£,  j,  r,  tt,  a^,  ip{) 
and  ips(£,  j,  r,  7r,  (Tin,  ^2)  both  terminate.  Moreover,  by  Lemma  15  ips(C,  j,r,TT,  ain,ipi) 
and  ips (£,  j,  t,7t,  (Tjn,  <£2),  each  independently  returns  finite  number  of  substitutions.  Hence, 
taking  the  union  of  the  substitutions  terminate.  It  follows  that  ips(£,  j,  t,  tt,  <Tjn,  tp±  V  <£>2) 
terminates. 


Case  ip  =  <p\  I\ip2- 

From  the  definition  of  ips,  ips (C,j,  7 r,  crin,  <p  1  A  <^2)  =  ^out  where  T,out  = 

UCTceips(£j,r,7r,o-in,v3i)  ips (£,  j,  t,  7r,  ac,  ip2) ■  From  premise  1  and  inspecting  the  mode  checking 
judgements,  we  see  that  the  inductive  hypothesis  is  applicable  to  ips(£,  j,r,  tt,  a\n,ip\).  By 
inductive  hypothesis,  ips(£,,7,  r,  7r,  <7in,  <p\)  terminates.  Let  Si  «—  ips(£,  j,  tt,  <Tin,  (^1).  From 
Lemma  15  we  have  |Si|  is  finite.  For  all  ac  G  Si,  ips(£,  j,  t,  it,  crc,  P2)  is  called.  We  also  see 


that  from  premise  1  and  inspecting  the  mode  checking  judgements,  the  inductive  hypothesis  is 
applicable  to  ips(£,  j,  r,  7 r,  ac,  ip2).  By  inductive  hypothesis,  each  call  to  ips (C,j,  t,  tt,  ac,  <^2) 
terminates  and  there  are  finite  number  of  such  calls.  It  follows  that  ips(£,  j,  tt,  <Tin,  ip\  A  992) 
terminates. 


Case  ip  =  Bx.ip. 

According  to  the  definition  of  ips,  ips(C,j,T,TT,ain,3x.ip)  =  ips(£,  j,  t,  tt,  <jjn,  3x.ip)  \  {x}. 
From  premise  1  and  inspecting  mode  checking  judgements,  we  see  the  induction  hypothesis  is 
applicable.  By  inductive  hypothesis,  ips(£,  j,  r,  tt,  crin,3x.ip)  terminates  from  which  it  follows 
that  ips(£,  j,  t,  tt, 
ain,  T\x.ip)  terminates. 

Case  ip  =  Mx.{ip\  — >  ^2). 

According  to  the  definition  of  ips,  to  calculate  ips(£,  j,  r,  tt,  ain,  \/x.(ipi  -A  <^2))  we  first  make 
a  call  to  ips(£,  j,T,TT,ain,ipi).  Let  Si  •<—  ips(£,  j,  r,  tt, 
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(Jin,  991 ).  From  premise  1  and  inspecting  the  mode  checking  judgements,  we  see  that  the  in¬ 
ductive  hypothesis  is  applicable.  By  inductive  hypothesis,  ips(£,  j,  r,  7r,  am,  9?i)  terminates. 
From  Lemma  15,  we  know  that  |£i|  is  finite.  For  all  ac  G  Si,  a  call  to  ips(£,  j,  r,  ir,  <rc,  <^2)  is 


made.  From  premise  1  and  inspecting  the  mode  checking  judgements,  we  can  again  see  that  the 
inductive  hypothesis  is  applicable  to  ips(X,  j,  r,  n,  ac,  992).  By  inductive  hypothesis,  each  such 
call  to  ips(£,  j,  t,  7r,  ac,  1P2)  terminates  and  there  are  finite  number  of  such  calls.  It  follows 
that  ips(£,  j,  t,  7r,  a in,  \/x.(<pi  — >  992))  terminates. 


Case  99  =  99  5  [C)di<^2  and  B  G  label  (ip) 


Sub- Case  To  show  (1): 

Let  Si  G-  n.A(ipiS  [c,rf] ^2) (*) -K.-  From  the  definition  of  ips,  ips(£,  j,  r, 

7T,  crin,  9b  S  \c,d}^P2)  =  =  (T\„  m  Si.  From  premise  (1)  and  inspecting  the  mode  checking 

judgements,  we  see  that  the  inductive  hypothesis  of  Lemma  15  (1)  is  applicable.  By 
inductive  hypothesis,  |Si|  is  finite.  Thus,  the  join  operation  terminates  and  it  follows  that 
ips(£,  j,T,7T,  (Tin,  <pi  <S  [c,d] 9^2 )  terminates. 


Sub- Case  To  show  (2): 

From  definition  of  uSS,  to  calculate  S^,  ips(£,  i,  r,  7r,  •,  ^2)  is  called  once.  From  premise, 
Lemma  [IJ  and  inspecting  applicable  mode  checking  judgements,  we  see  that  inductive  hy¬ 
pothesis  of  (1)  is  applicable.  From  inductive  hypothesis  (1),  we  can  say  that  ips(£,  i,  7 r,  •,  992) 
terminates. 


According  to  the  proof  of  Lemma  [l5|  (1),  we  know  that  |E^|  is  finite.  We  also  know  that 
ir.A{<pi  S  [Cirf]¥>2)(*  —  1).§/?  is  finite.  From  this,  we  can  say  calculating  Sfemove  and  Snew 
terminates.  Finally,  we  can  say  that  calculating  ir.A((p\  S  [c,d]¥?2)(*)-§/3  terminates,  as  each 
of  the  set  is  finite. 


While  calculating  ir.Afyi  S  [c,rf] 9?2 ) (*) -Sck ,  for  each  (a,k)  pair  in  Tr.A(ip)( 
i)Sp,  ips  is  called  once.  From  premise,  Lemma[4j  and  inspecting  applicable  mode  checking 
judgements,  we  see  that  inductive  hypothesis  of  (1)  is  applicable.  By  inductive  hypothesis 
(1),  each  such  call  to  ips  terminates.  There  are  finite  such  calls  to  ips  as  there  are 
finite  (<7 ,k)  pairs  in  7t.^4(i/?)(*).§^.  Hence,  calculating  T,a  terminates.  In  the  same  vein, 
calculating  Snew,  Sedate,  and  ir.A((piS  [C)d]9 92)(i).Sa  terminates. 

Finally,  in  the  worst  case,  while  calculating  7r. .4.(99)  (i).M,  each  (a,k)  pairs  in  77.^21(99) (z) 
is  joined  with  each  (c 7\,j )  pairs  in  7r..4(99)(*).Sa.  As  1 7r ._A(9t) (i) |  and  1 7r .^4.(99) (z) .Sq, |  are 
finite,  the  join  operations  terminate  from  which  it  follows  that  uSS  terminates  concluding 
our  proof. 


Case  99  =  ipiS  [c,d] 992  and  B  ^  label(<p) 

According  to  the  definition  of  ips,  ips(£,  j,  r,  7r,  <p\  S  rc,rf] </?2)  =  LI out  =  Srx  U  Sr2.  It  is 
sufficient  to  show  that  the  construction  of  sets  and  Sr2  terminates.  We  will  then  show 
that  |5'h1|  and  \Sr2\  are  both  finite  and  thus  the  set  union  operation  terminates. 

We  will  first  show  that  the  construction  of  Sp  terminates.  By  construction  of  Sp,  a  call  to 
ips  (C,l,  t,  7 r,  (Tin,  992)  is  made  for  all  l  where  0  <  l  <  j  and  c  <  Tj  —  Ti  <  d.  From  premise  1  and 
inspecting  the  mode  checking  judgements,  we  see  that  the  inductive  hypothesis  is  applicable  to 
ips(£,  l,  t,  7r,  <7 in,  9^2) •  By  inductive  hypothesis,  each  call  to  ips(£,  l,  r,  tt,  ain,  992)  terminates 
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and  there  are  finite  (j + 1  in  the  worst  case)  number  of  such  calls.  It  follows  that  the  construction 
of  Sp  terminates. 


By  Lemma 
c  <  0  <  d. 


15 


| S/3 1  is  finite.  By  construction,  each  a  is  added  in  S^  where  (a,  j)  E  S/3  and 
As  there  are  finite  number  of  such  a,  the  construction  of  S^  terminates.  By 
construction,  IS'rJ  <  \Sp\  and  it  follows  that  | Sr^  is  finite. 


By  construction  of  Sr2,  for  each  (073,  k)  E  Sp  where  k  /  j,  ips(£,  q,  r,  7 r,  ap 

,  ip  1)  is  called  for  all  q  such  that  k  <  q  <  j.  By  inductive  hypothesis,  each  call  to  ips(£,  q,  r,  7r,  erg,  ipi) 
terminates  and  there  are  finite  number  of  such  calls.  Thus,  the  construction  of  the  set  Sr2 
terminates. 


As  both  \Sfit  and  \Sr2\  are  finite,  the  set  union  operation  terminates. 
Thus,  it  follows  that  ips(£,  j,  r,  7r,  ipi  S  [c,d]<P 2)  terminates. 


Case  ip  =  fiU[c4]ip2. 

The  proof  for  this  case  is  similar  to  the  preceding  case. 


□ 


The  following  two  lemmas  state  that  the  checkCompliance  function  is  correct  and  it  termi¬ 
nates.  The  Theorem  [l]  follows  from  the  following  two  lemmas. 

Lemma  17  (Correctness  of  checkCompliance  function).  For  all  Q. A4V  formulas  ip,  for  all  j  E  N, 
for  all  logs  C,  for  all  time  stamp  sequences  r,  for  all  internal  states  ir  =  ( A,i )  where  i  E  N,  for  all 
empty  environments  r/o,  such  that:  (1)  it  is  strongly  consistent  at  i  &  N  with  respect  to  C,  r,  and  <p, 
(2)  i  >  j  andri—Tj  >  A(f),  (3)  {},{}  h  ip  :  xo,  if  checkCompliance(C,  j,T,TT,  ip)  =  truthValue, 
then  (truthValue  =  true )  •<-)>  3cr.(£,  r,  j,  r/o  |=  fcr). 


Proof.  The  proof  follows  from  the  soundness  argument  of  ips  correctness,  Lemma  [TT| 


□ 


Lemma  18  (Termination  of  checkCompliance  function).  For  all  QMV  formula  ip,  for  all  j  E  N, 
for  all  logs  C ,  for  all  time  stamp  sequences  t,  for  all  state  n  =  ( A,i ),  for  all  empty  environments 
770,  such  that:  (1)  7 r  is  strongly  consistent  at  i  £  N  with  respect  to  C,  t,  and  ip,  (2)  i  >  j  and 
Ti  —  Tj  >  A  (ip),  (3)  {},{}  b  f  ■  Xo >  the  function  checkCompliance(£,j,T,iT,(p)  terminates. 


Proof.  The  proof  follows  from  the  termination  argument  of  the  ips  function  (Lemma  16  (1)),  as 
according  to  the  definition  of  checkCompliance  function,  only  the  ips  function  is  called  from 

the  checkCompliance  function.  □ 


E  Policies  and  their  Associated  Mode  Specification 

The  HIPAA  policy  we  use  in  our  experiments  is  shown  in  Figure  [13]  and  the  mode  specification 
for  predicates  used  in  this  policy  is  shown  in  Table  |3j  The  HIPAA  policy  is  we  use  for  our  exper¬ 
iments,  contains  rules  from  the  following  clauses  of  HIPAA:  §164.502(a)(l)(i),  §164.502(a)(l)(iv), 
§164. 502(g) (3) (ii) (A) ,  §164.510(a),  §164.512(b)(l)(v),  §  164.512 (j )( 1) (ii) (A) ,  §  164.512 (j) ( 1) (ii) (B) , 
§164. 508(a)(2),  and  §164.502(g)(3)(ii)(B).  To  get  the  original  interpretation  of  HIPAA  for  these 
selected  clauses,  one  can  just  replace  upper  bound  on  the  past  temporal  operators,  bound,  to  00. 
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The  GLBA  policy  we  use  in  our  experiments  is  the  conjunction  of  the  policies  shown  in  Figure 


The  GLBA  policy  we  use  for  our  experiments,  contains  rules  from  the  following  clauses  of  GLBA: 
§6802(a),  §6802(b),  §6802(d),  and  §6803(a).  To  get  the  original  interpretation  of  GLBA  for  these 
selected  clauses,  one  can  just  replace  upper  bound  on  the  past  temporal  operators,  bound,  to  oo. 


14  and  Figure  15  The  mode  specification  for  predicates  used  in  this  policy  in  shown  in  Table  [2| 


Vpi ,  P2  ,  q,  m,  d,  u,  t .  (send(pi ,  P2  ,  m)  A  info(m,  d,  u)  A  contains(m,  q,  £))  - >  ^ 

f(inrole(pi,  coveredEntity)  A  samePerson(p2 ,  q )  A  attrln(£,  PHI)) 

V 

(inrole(pi ,  coveredEntity)  A  attrln(£,  PHI)  A  (3 m\  -((^[o  bound]  (send(q,  Pi ,  m\ )))  A  isValidAuthz(mi ,  p\  ,  p2 ,  q,  £,  u)))) 

V 

(inrole(pi ,  coveredEntity)  A  attrln(£,  PHI)  A  (purpose^,  treatment)  V  purpose^,  payment) 

V  purpose (u,  healthCareOperations))  A  (3m-2  •((<3>[o  bound]  sencKq,  Pi ,  m2))  A  isValidConsent(m2  ,  p  1 ,  P2 1  q,  £,  u )))) 

V 

(inrole(pi ,  coveredEntity)  A  (inrole(p2 ,  clergy)  V  (notin (£,  religiousAffiliation)  A  3m3.((<^>^Q  boundjSend(p2,  pi ,  m3)) 

A  isDirectoryRequestByName(m3 ,  P2  ,  Pi ,  q,  t,  w))))  A  attrln(i,  directorylnfo)  A  purpose(ii,  directory) 

A  (((Vm,5  .send(q,  pi ,  m.5)  — »  isNotDirectoryObjection(rri5 ,  pi ,  P2  ,  q,  t,  u))  S  [0, bound]  (.^m4 -send(pi ,  q,  rrt^)/\ 
is0pportunityTo0bject(m4 ,  pi ,  P2  ,  q ,  t,  u )))  V  (notPracticalToProvideOpportunityToObject(pi ,  P2 ,  q,  t,  u)  A 
consistentWithPriorPreference(pi ,  P2 ,  q,  t,  u)  A  believeslnBestlnterest(pi ,  P2 ,  q,  t,  w)))) 

V 

(inrole(pi ,  provider)  A  (workForceMemberOf (pi ,  P2)  V  providerOfMedicalSurveillance(pi ,  P2)  V 
provideslnjuryEvaluation(pi ,  p2 ))  A  inrole(p2  ,  employer)  A  workForceMemberOf (q,  P2)  A 
((attrln(t,  workPlaceFindings)  A  purpose(n,,  obligationToRecordWorkPIacelnjury)) 

V  (attrln(t,  medicalSurveillanceFindings)  A  purpose(-u,  obligationToPerformWorkPlaceSurveillance))) A 
3mg.((<$>[Q  bound] send(pi ,  q,  mg))  A  isNoticeofWorkplaceDisclosure(mg))) 

V 

(inrole(pi,  coveredEntity)  A  inrole(p2,  lawEnforcement)  A  attrln(£,  PHI)  A  toldentifyOrApprehend(u,  q) 

A  consistentWithAppLaw(pi ,  P2 ,  q,  £ ,  ii)  A  3m7.((<$>jQ  bound] send(q,  pi ,  m.7))  A  isAdmission0fCrime(m7) 

A  believesCrimeCausedSerioushlarm(pi ,  trij))  A  notLearnedWhileTreatingPropensityForCrime(pi ,  q,  £) A 
notLearnedThroughRequestForTreatment(pi ,  q,  £)  A  (3mg.((O[0  bound] ser>d (q >  Pi  5  ms)) 

A  isAdmissionOfCrime2(m8 ,  q)  A  containsMsg(m,  mg)  A  contains(mg,  q,  £)  A  attrln(£,  attribute-list-164. 512j3)))) 

V 

(inrole(pi,  coveredEntity)  A  inrole(p2,  lawEnforcement)  A  attrln(£,  PHI)  A  toldentifyOrApprehend(u,  q) 

A  consistentWithAppLaw(pi ,  p2,  q,  £,  u )  A  believesEscapeLawfulCustody(pi ,  q)) 

V 

(inrole(pi,  coveredEntity)  A  (parent0f(p2 ,  q)  V  guardianOf (p2 ,  q)  V  localParentOf (p2 ,  q)) 

A  attrln(£,  PHI)  A  permittedByOtherLaw(pi ,  p2  ,  q,t,  u))^ 

A 

(notinrole(pi ,  coveredEntity)  V  notin (£,  psychNotes)  V  (3mg  .((<$>[q  bound] send(qi  Pi  >  m9)) 

A  isValidAuthz(mg ,  pi ,  P2  ,  q,  £,  u)))  V  (inrole(pi ,  coveredEntity)  A  forCounselingOrTrainingPrograms(u,  pi )) 

V  (inrole(pi,  coveredEntity)  A  forDefenselnLegalProceeding(it,  pi,  q))) 

A 

(notinrole(pi ,  coveredEntity)  V  (notParentOf (p2 ,  q)  A  notGuardian0f(p2 ,  q)  A  notLocalParentOf (p2 ,  q))V 
notin(£,  PHI)  V  notProhibitedByOtherLaw(pi ,  P2  ,  q,  £,  u))  J 


Figure  13:  HIPAA  policy  used  in  our  empirical  evaluation. 
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send 

contains 

info 

isNoticeOfDisclosure 

affiliateOf  (-,+) 

notconsumerof  (+,+) 

notin  (+,+) 

isOptOut 

isNoticeofPotential Disclosure 

inrole  (-,+) 

notinrole  (+,+) 

nonAffiliateOf  (+,+) 

consumerOf  (-,+) 

organizationOf  (-,+) 

attrln  (+,+) 

purpose  (+,+) 

existsConfidentialityAgreement  (+,+,+) 

lawyerOf  (+,-) 

notpurpose  (+,+) 

processConsumerAuthorizedService  (+,+) 

securitizationSale  (+,+) 

samePerson  (-,+) 

extendsCreditOnBehalf  (-,+) 

maintainConsumerAccount  (-,+) 

isConsentForDisclosure  (+,+,+,+,+,+) 

protectRecordSecurity  (+,+) 

beneficiallnterestOf  (-,+) 

financialRepresentativeOf  (-,+) 

forResolvingCustomerDispute  (+,+) 

ratingAgencyOf  (-,+) 

complianceAssesor  (-,+) 

attorneyOf  (-,+) 

accountantOf  (-,+) 

auditorOf  (-,+) 

specificallyPermittedOrRequiredByLaw  (+,+,+,+,+) 

inAccordanceWithRightToFinancialPrivacyActOfl978  (+,+,+,+,+) 

subUnitOf  (-,+) 

forSale  (+,+) 

forMerger  (+,+) 

forTransfer  (+,+) 

forExchange  (+,+) 

inAccordanceWithFairCreditReportingAgency  (+,+,+,+,+) 

isConsumerReport  (+) 

isResponseTo  (+,+) 

authorizedByLaw  (+) 

newCustomer  (-,+) 

renewedCustomer  (-,+) 

certified PublicAccountOfAState  (+) 

subjectToEthicalDisclosureProvision  (+) 

Table  2: 

ments. 


Mode  definition  of  predicates  of  the  GLBA  policy  (Figure  14  and  Figure  15 )  used  in  the  experi- 


F  Experimental  Results 

In  this  section,  we  present  the  experimental  results  for  our  empirical  evaluation.  Figure [Th] shows  the 
HIPAA  experimental  result  for  the  average  execution  time  over  different  trace  length  for  varying 
bounds  when  the  event  traces  are  stored  in  a  memory-backed  database.  Figure  shows  the 
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send 

contains 

info 

attrln  (+,+) 

inrole  (-,+) 

samePerson  (-,+) 

isVa  lid  Authorization  (+,+,+,+,+,+) 

purpose  (+,+) 

isValidConsent  (+,+,+, +,+,+) 

notin  (+,+) 

isDirectoryRequestByName 

notPracticalToProvideOpportunityToObject  (+,+,+,+,+) 

consistentWithPriorPreference  (+,+,+,+,+) 

believesln  Best  Interest  (+,+,+,+,+) 

isOpportunityToObject  (+,+,+, +,+,+) 

isNotDirectoryObjection  (+,+,+,+,+,+) 

workForceMemberOf  (-,+) 

providerOfMedicalSurveillance  (-,+) 

providesInjuryEvaluation  (-,+) 

isNoticeofWorkplaceDisclosure  (+) 

notinrole  (+,+) 

notParentOf  (+,+) 

notGuardianOf  (+,+) 

notLocalParentOf  (+,+) 

notProhibitedByOtherLaw  (+,+,+,+,+) 

toldentifyOrApprehend  (+,+) 

consistentWithApplicableLaw  (+,+,+,+,+) 

isAdmissionOfCrime  (+) 

believesCrimeCausedSeriousHarm  (+,+) 

notLearnedWhileTreatingPropensityForCrime  (+,+,+) 

notLearnedTh rough RequestForTreatment  (+,+,+) 

isAdmissionOfCrime2  (+,+) 

containsMsg  (+,+) 

believesEscapeLawfulCustody  (+,+) 

permittedByOtherLaw  (+,+,+,+,+) 

parentOf  (-,+) 

guardianOf  (-,+) 

localParentOf  (-,+) 

forCounselingOrTrainingPrograms  (+,+) 

forDefenseln  Legal  Proceeding  (+,+,+) 

Table  3: 


Mode  definition  of  predicates  of  the  HIPAA  policy  (Figure  [l3j)  used  in  the  experiments. 


comparative  maximum  memory  usage  (excluding  the  event  trace)  of  precis  over  reduce  for  the 
HIPAA  experiment  just  above.  Figure  [18]  shows  the  HIPAA  experimental  result  for  the  average 
execution  time  over  different  trace  length  for  varying  bounds  when  the  event  traces  are  stored 
in  a  disk-backed  database.  It  is  very  apparent  that  the  relative  speed  of  precis  increases  over 
reduce  in  case  the  event  trace  is  stored  in  a  disk-backed  database.  It  is  also  apparent  that  with 
the  increasing  bounds  the  memory  usage  of  precis  for  storing  the  summary  strucutres  increases 
significantly  faster  that  reduce.  When  the  event  trace  is  stored  in  a  disk-backed  database,  precis 
achieves  a  speedup  of  3.5x-10x  over  reduce  which  is  higher  than  the  speedup  precis  achieves 
over  reduce  when  traces  are  stored  in  a  memory-backed  database  (2.5x-6.5x). 

Figure  [T9]  shows  the  GLBA  experimental  result  for  the  average  execution  time  over  different 
trace  length  for  varying  bounds  when  the  event  traces  are  stored  in  a  memory-backed  database. 
Figure  [20|  shows  the  GLBA  experimental  result  for  the  average  execution  time  over  different  trace 
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length  for  varying  bounds  when  the  event  traces  are  stored  in  a  disk-backed  database.  As  the 
number  of  B-formulas  in  the  GLBA  policy  is  4  out  of  9  (less  than  50%),  the  speedup  achieved 
by  precis  over  reduce  is  not  as  significant  as  in  the  case  of  the  HIPAA  policy.  Moreover,  the 
speedup  achieved  by  precis  over  reduce  does  not  vary  in  the  disk-backed  and  memory-backed 
cases  for  the  same  reason.  Figure [21] shows  the  comparative  maximum  memory  usage  (excluding  the 
event  trace)  of  precis  over  reduce  for  the  GLBA  experiment  where  the  event  traces  were  stored 
in  a  in- memory  SQLite3  database,  precis’s  memory  consumption  increases  with  the  increase 
of  the  bound,  of  the  past  temporal  operator,  over  reduce.  This  is  to  be  expected  as  with  the 
increase  of  the  bound  on  the  past  temporal  operators,  precis  has  to  store  more  substitutions 
in  the  associated  summary  structures.  The  curve  representing  the  maximum  memory  usage  of 
precis  flattens  out  when  the  trace  length  exceeds  the  bound  because  after  that  precis  has  the 
substitutions  for  bound  number  of  steps  at  each  point  of  time. 
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Vpi ,  P2  )  <?>  tti,  ci,  it,  f .  (send(pi ,  P2 ,  m)  A  info(m,  d,  u)  A  contains(m,  q,  t ))  — > 


^((notinrole(pi ,  institution)  V  affiliateOf(p2  >  Pi )  V  notconsumerof  (q,  p\ )  V  notin(f,  npi)) 

v  (<$>[0,  bound]  (3ml-((send(Pl>  q,  mi )  V  3pi00  .(send(pi ,  pioo ,  »ni  )  A  lawyerOf  (pioo ,  <?)))  A  isNoticeOfDisclosure(mi ,  px  ,  p2 ,  q,  t ,  u))))  V 
(O[0,  30](3m2.((send(pi ,  q,  m2)  V  3pioi  •  (send(pi ,  pioi)  77i2)  A  lawyerOf  (pioi  >  9)))  A  isNoticeOfDisclosure(rri2  ,  pi,  p2,  <? ,  t,  u ))))) 

V  (processConsumerAuthorizedService(u,  q)  V  securitizationSale(u,  q)  V  3pio7 •  ((samePerson(pio7 ,  pi ) 

V  extendsCreditOnBehalf (pio7 1  Pi ))  A  (maintainConsumerAccount(pi07 ,  q)))) 

V  (3m6.((<$>[o,bound]  ((send(g,  PI ,  7716)  V  (3pios  .send(pio8 ,  PI ,  Trig)  A  lawyerOf  (pi  08 »  <?)))  A  isConsentForDisclosure(m6 ,  pi ,  P2 ,  q,  t,  u))))) 

V  (protectRecordSecurity(u,  q)  V  beneficiallnterestOf (p2 ,  q)  V  financialRepresentativeOf (p2 ,  <?)V 

purpose(u,  requiredRiskControl)  V  forResolvingCustomerDispute(u,  q))  V  (inrole(p2,  insuranceRateAdvisoryOrg)  V 
inrole(p2 ,  guarantyAgency)  V  ratingAgencyOf  (p2 ,  Pi )  V  complianceAssesor(p2 ,  Pi )  V  attorneyOf(p2  ,  Pi )  V 
accountantOf  (p2 ,  Pi )  V  auditorOf  (p2 ,  Pi ))  V  (specificallyPermittedOrRequiredByl_aw(pi ,  p2 ,  q,  t,  u ) 

V  inAccordanceWithRightToFinancialPrivacyActOfl978(pi ,  p2  ,  q,  t,  u)  V  inrole(p2,  lawEnforcementAgency)  V 
inrole(p2,  selfRegulatoryOrganization)  V  purpose(ti,  publicSafetylnvestigation)) V 

((inrole(p2,  consumerReportingAgency)  A  inAccordanceWithFairCreditReportingAgency(pi ,  p2  ,  q ,  t,  -u))V 

(0[O  bound]  (^Plll  ’  m8  •  (send(Plll  >  Pi )  7718)  A  inrole(pm  ,  consumerReportingAgency)  A  isConsumerReport(mg) 

A  contains(mg ,  q,  £)))))  V  (3pno •  (subUnitOf (pno >  Pi)  A  consumerOf (q,  pno)  A  (forSale(u,  pno)  V  forMerger(u,  pno) 

V  forTransfer(ti,  pno)  V  forExchange(u,  Pno))))  V  (purpose(-u,  complianceWithLegalRequirements) 

V  purpose(u,  complianceWithlnvestigation)  V  purpose(u,  complianceWithSummons)  V  (37117. (^[0  bound]  (send (p2 1  Pi  i  7717) 

A  (inrole(p2  ,  judicialProcess)  V  inrole(p2 ,  governmentRegulatoryAuthority)))  A 

isResponseTo(m,  7717)  A  (purpose(u,  examination)  V  purpose(u,  compliance)  V  authorizedByLaw(u)))))^ 

A 

^  (( notin  role  (pi ,  institution)  V  affiliateOf(p2  >  Pi )  V  notconsumerof  (q,  p\ )  V  notin(f,  npi))  V  ((V7713  .((send(qi,  pi ,  7713) 

V  3pi04.(send(pio4,pi,  7713)  A  lawyerOf  (p  104 ,  <?)))  A  isOptOut(m3 ,  pi ,  p2 ,  q ,  t,  u ))  ->•  false )  S  [30, bound]  (3t714  .  (send(pi ,  q,  7714) 

V  3pio5  •  (send (pi ,  pio5 , 7714)  A  lawyerOf (pi05 1  q)))  A  isNoticeofPotentialDisclosure(r7i4 ,  pi ,  p2 ,  q,  t ,  u)))) 

V  (inrole(pi ,  institution)  A  nonAffiliateOf  (p2  >  Pi )  A  consumerOf  (q,  p  1 )  A  attrln(t,  npi)  A  purpose(u,  performServices) 

A  existsConfidentialityAgreement(pi ,  p2 ,  t )  A  (^[0,  bound]  (37715  .(send(pi ,  q,  7715) 

V  3pio6-(send(Pl  i  P106)  7715)  A  lawyerOf (pio6 1  ?)))  A  isNoticeofPotentialDisclosure(77i5 ,  pi ,  p2 ,  q,  t ,  tt)))) 

V  (processConsumerAuthorizedService(7i,  q)  V  securitizationSale(u,  q)  V  3pio7 •  ((samePerson(pio7 ,  pi ) 

V  extendsCreditOnBehalf (piQ7 ,  Pi ))  A  (maintainConsumerAccount(piQ7 ,  <?)))) 

V  (3tti6  .(^[0,  bound] ( (send (q,  pi ,  mg)  V  (3pios  .send(pio8  >  PI »  7716)  A  lawyerOf (pi08  >9)))  A  isConsentForDisclosure(77i6 ,  Pi ,  p2  ,  q,  £,  it)))) 

V  (protectRecordSecurity(it,  q)  V  beneficiallnterestOf (p2 ,  q)  V  financialRepresentativeOf (p2 ,  q) 

V  purpose(ii,  requiredRiskControl)  V  forResolvingCustomerDispute(u,  q))  V  (inrole(p2 ,  insuranceRateAdvisoryOrg) 

V  inrole(p2  ,  guarantyAgency)  V  ratingAgencyOf  (p2 ,  Pi )  V  complianceAssesor(p2 ,  Pi )  V  attorneyOf  (p2  ,  Pi )  V 
accountantOf  (p2  j  pi )  V  auditorOf  (p2 ,  pi ))  V  (specificallyPermittedOrRequiredByLaw(pi ,  p2 ,  q,  t,  u ) 

V  inAccordanceWithRightToFinancialPrivacyActOfl978(pi ,  p2  ,  q,  t,  u)  V  inrole(p2,  lawEnforcementAgency)  V 

inrole(p2 ,  selfRegulatoryOrganization)  V  purpose(u,  publicSafetylnvestigation))  V  ((inrole(p2 ,  consumerReportingAgency) 

A  inAccordanceWithFairCreditReportingAgency(pi ,  p2 ,  q,  t ,  u))  V  (^[0  bound]  (^Plll  >  m8  •(send(Plll  ?  Pi  ?  Trig) 

A  inrole(pm,  consumerReportingAgency)  A  isConsumerReport(mg)  A  contains(77ig ,  q,  £))))) V 

(3P1  10 •  (subUnitOf (pno )  Pi )  A  consumerOf (q,  pi  10)  A  (forSale(-u,  pno)  V  forMerger(u,  pno)  V  forTransfer(u,  pno)  V 
forExchange(u,  pno))))  V  (purpose(u,  complianceWithLegalRequirements)  V  purpose(u,  complianceWithlnvestigation) 

V  purpose(ii,  complianceWithSummons)  V  (37717. (^[0  bound]  (send(P2  >  Pi  >  7717)  A  (inrole(p2 ,  judicialProcess) 

V  inrole(p2,  governmentRegulatoryAuthority)))  A  isResponseTo(77i,  7717)  A  (purpose(u,  examination) 

V  purpose^,  compliance)  V  authorizedByLaw(u)))))^ 

A 

(((notinrole)pi ,  institution)  V  affiliateOf  (p2 ,  Pi)  V  notconsumerof)^,  pi)  V  notin  ( t .  accountNumber)  V  notpurposefu,  marketing))V 


(inrole)pi ,  institution)  A  inrole(p2 ,  ConsumerReportingAgency)  A  consumerOf  (q,  pi )  A  attrln(t,  accountNumber))) 


Figure  14:  GLBA  policy  (conjunct-1)  used  in  our  empirical  evaluation.  The  rules  in  this  policy  correspond 
to  the  privacy  rules  §6802(a),  §6802(b),  and  §6802(d)  of  GLBA. 
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gj.(inrole(pj,  institution)  A  (newCustomer(</j,pi)  V  renewedCustomerfr/,;, js,;)))  -> 

(((3m9.(O[0,365](send(pj,gj,TO9)  V  (3pii2-(send(pi,;>ii2,m9)  A  lawyerOf(pn2,  %)))A 
(contains(?n9,pi,  npiPoliciesAndPractices)  V  contains(m9,pi,  npiCategoriesCollected)V 
contains(m9,pj,  npiSecurityPolicies)  V  contains(m9,pj,  npiDisclosuresTo Affiliates)))))  V  ( 

certified PublicAccountOfAState(pj)  A  subjectToEthicalDisclosureProvision^j))))^ 


Figure  15:  GLBA  policy  (conjunct-2)  used  in  our  empirical  evaluation.  The  rule  in  this  policy  correspond 
to  the  privacy  clause  §6803(a)  of  GLBA. 
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Figure  16:  Experimental  timing  results  (HIPAA)  with  memory-backed  database 
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Maximum  memory  consumption  (in  MB)  Maximum  memory  consumption  (in  MB) 
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Figure  17:  Experimental  memory  results  (HIPAA)  with  memory-backed  database 
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Figure  18:  Experimental  timing  results  (HIPAA)  with  disk-backed  database 
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Figure  19:  Experimental  timing  results  (GLBA)  with  memory-backed  database 
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Figure  20:  Experimental  timing  results  (GLBA)  with  disk-backed  database 
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Figure  21:  Experimental  memory  results  (GLBA)  with  memory-backed  database 
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